Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hades.exe

Overview

General Information

Sample name:hades.exe
Analysis ID:1577085
MD5:e73a9365e27c8d35b86435028297c506
SHA1:c0519c0219c6bd1111ae4388235297361b49aad9
SHA256:e800692d021ed87f0d691d915e76c794175b50b83681508f26330ddea56cb4e0
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Installs new ROOT certificates
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64native
  • hades.exe (PID: 8264 cmdline: "C:\Users\user\Desktop\hades.exe" MD5: E73A9365E27C8D35B86435028297C506)
    • conhost.exe (PID: 8296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • winlogon.exe (PID: 892 cmdline: winlogon.exe MD5: A987B43E6A8E8F894B98A3DF022DB518)
    • lsass.exe (PID: 956 cmdline: C:\Windows\system32\lsass.exe MD5: 15A556DEF233F112D127025AB51AC2D3)
      • svchost.exe (PID: 8920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 3240 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 8176 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 568 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: F586835082F632DC8D9404D83BC16316)
    • fontdrvhost.exe (PID: 556 cmdline: "fontdrvhost.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13)
    • fontdrvhost.exe (PID: 692 cmdline: "fontdrvhost.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13)
    • svchost.exe (PID: 1076 cmdline: C:\Windows\system32\svchost.exe -k RPCSS -p MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1124 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: F586835082F632DC8D9404D83BC16316)
    • dwm.exe (PID: 1188 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • svchost.exe (PID: 1276 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1364 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1428 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: F586835082F632DC8D9404D83BC16316)
    • IntelCpHDCPSvc.exe (PID: 1464 cmdline: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe MD5: B6BAD2BD8596D9101874E9042B8E2D63)
    • svchost.exe (PID: 1472 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1516 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1532 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1572 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1668 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1756 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: F586835082F632DC8D9404D83BC16316)
    • IntelCpHeciSvc.exe (PID: 1764 cmdline: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe MD5: 3B0DF35583675DE5A08E8D4C1271CEC0)
    • igfxCUIService.exe (PID: 1788 cmdline: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe MD5: 91038D45A86B5465E8B7E5CD63187150)
    • svchost.exe (PID: 1868 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1876 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1948 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 2028 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1420 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 1728 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 8180 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: F586835082F632DC8D9404D83BC16316)
    • svchost.exe (PID: 2124 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: F586835082F632DC8D9404D83BC16316)
    • OneApp.IGCC.WinService.exe (PID: 3348 cmdline: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe MD5: E9989DBE1A9F598479E9F68475D3C31A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: hades.exe PID: 8264JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Sigma Signatures

      Sigma detected: Uncommon Svchost Parent Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hades.exe", ParentImage: C:\Users\user\Desktop\hades.exe, ParentProcessId: 8264, ParentProcessName: hades.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, ProcessId: 568, ProcessName: svchost.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: winlogon.exe, CommandLine: winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: "C:\Users\user\Desktop\hades.exe", ParentImage: C:\Users\user\Desktop\hades.exe, ParentProcessId: 8264, ParentProcessName: hades.exe, ProcessCommandLine: winlogon.exe, ProcessId: 892, ProcessName: winlogon.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAE9C30 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,0_2_00007FF7CDAE9C30
      Source: hades.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: msvcrt.pdbGCTL source: hades.exe, 00000000.00000002.3082370917.000001409D520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: bcrypt.pdb source: hades.exe, 00000000.00000002.3100591975.000001409E6C0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: rpcrt4.pdb source: hades.exe, 00000000.00000002.3087599460.000001409D930000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ucrtbase.pdb source: hades.exe, 00000000.00000002.3095095530.000001409DEF0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: msvcrt.pdb source: hades.exe, 00000000.00000002.3082370917.000001409D520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE6D0.tmp.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: rpcrt4.pdbUGP source: hades.exe, 00000000.00000002.3087599460.000001409D930000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: hades.pdb$ source: hades.exe
      Source: Binary string: bcryptprimitives.pdbUGP source: hades.exe, 00000000.00000002.3077875904.000001409D1F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: advapi32.pdb source: hades.exe, 00000000.00000002.3080252967.000001409D370000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: msvcp_win.pdb source: hades.exe, 00000000.00000002.3092003866.000001409DCA0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\acrord32_super_sbxd.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: hades.pdb source: hades.exe
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062.pdb source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: kernel32.pdb source: hades.exe, 00000000.00000002.3059829424.000001409C920000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error6;zE source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: combase.pdbUGP source: hades.exe, 00000000.00000002.3098799090.000001409E520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE6CF.tmp.pdb source: svchost.exe, 00000015.00000002.3032637872.0000021EA946C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1276455001.0000021EA946C000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ucrtbase.pdbUGP source: hades.exe, 00000000.00000002.3095095530.000001409DEF0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: cryptbase.pdbUGP source: hades.exe, 00000000.00000002.3102575581.000001409E7F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: bcrypt.pdbUGP source: hades.exe, 00000000.00000002.3100591975.000001409E6C0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: kernel32.pdbUGP source: hades.exe, 00000000.00000002.3059829424.000001409C920000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: sechost.pdb source: hades.exe, 00000000.00000002.3084632341.000001409D690000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdbTCDE&@ source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: D:\a01\_work\9\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hades.exe, 00000000.00000002.3101474642.000001409E750000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: ntdll.pdbUGP source: hades.exe, 00000000.00000002.3050162281.000001409C6D0000.00000040.00000001.00020000.00000000.sdmp
      Source: Binary string: apphelp.pdbUGP source: hades.exe, 00000000.00000002.3074073179.000001409D070000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: "@C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: sechost.pdbUGP source: hades.exe, 00000000.00000002.3084632341.000001409D690000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.errorI:zE source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: kernelbase.pdbUGP source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: msvcp_win.pdbUGP source: hades.exe, 00000000.00000002.3092003866.000001409DCA0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: advapi32.pdbUGP source: hades.exe, 00000000.00000002.3080252967.000001409D370000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: cryptbase.pdb source: hades.exe, 00000000.00000002.3102575581.000001409E7F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: bcryptprimitives.pdb source: hades.exe, 00000000.00000002.3077875904.000001409D1F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: oleaut32.pdbUGP source: hades.exe, 00000000.00000002.3089490300.000001409DB20000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE6D1.tmp.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ntdll.pdb source: hades.exe, 00000000.00000002.3050162281.000001409C6D0000.00000040.00000001.00020000.00000000.sdmp
      Source: Binary string: combase.pdb source: hades.exe, 00000000.00000002.3098799090.000001409E520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: oleaut32.pdb source: hades.exe, 00000000.00000002.3089490300.000001409DB20000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: apphelp.pdb source: hades.exe, 00000000.00000002.3074073179.000001409D070000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: kernelbase.pdb source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmp
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /r/r1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
      Source: global trafficDNS traffic detected: DNS query: c.pki.goog
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340458852.0000015AB6CC0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3050346749.0000015AB6D30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://OCSP.intel.com//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1x
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1342165387.0000015AB7475000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6F90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://OCSP.intel.com/0
      Source: svchost.exe, 0000000A.00000000.1205728477.000001E009CA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3039473296.000001E009CA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3057611270.000001E00A749000.00000004.00000001.00020000.00000000.sdmp, 05DDC6AA91765AACACDB0A5F96DF8199.10.drString found in binary or memory: http://c.pki.goog/r/r1.crl
      Source: svchost.exe, 0000000A.00000003.1254803450.000001E00A797000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3064388466.000001E00A79B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog:80/r/r1.crl
      Source: lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt0
      Source: lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
      Source: lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170102054.0000021B2669B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3032667377.0000021B26671000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3033476680.0000021B26699000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3051677074.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170055743.0000021B26671000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F10000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3051677074.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
      Source: lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820781754.000001D689D0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3104642794.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1213430790.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6FAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl=)
      Source: lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820781754.000001D689D0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3104642794.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1213430790.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: svchost.exe, 0000000A.00000000.1205626042.000001E009C74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3037794452.000001E009C74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6FB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.v
      Source: svchost.exe, 00000009.00000003.2515361191.000001D689C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2819728692.000001D689C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0H
      Source: lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170102054.0000021B2669B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3032667377.0000021B26671000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3033476680.0000021B26699000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3051677074.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170055743.0000021B26671000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
      Source: lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F10000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3051677074.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
      Source: lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0
      Source: lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
      Source: svchost.exe, 0000000A.00000002.3064985344.000001E00A7AE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6F7B000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: lsass.exe, 00000004.00000000.1170676998.0000021B26E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3048285063.0000021B26E00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3033669706.000001E009C2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205403092.000001E009C2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205905773.000001E009CCD000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6FE5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: svchost.exe, 0000000A.00000002.3053467929.000001E00A708000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1206549159.000001E00A708000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340458852.0000015AB6D81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabY
      Source: svchost.exe, 0000000A.00000000.1205905773.000001E009CCD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3057611270.000001E00A749000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6FE5000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.10.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
      Source: svchost.exe, 0000000A.00000002.3033669706.000001E009C2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3066671019.000001E00A7D1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?24fc0dd
      Source: svchost.exe, 0000000A.00000000.1205403092.000001E009C2B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3308e9d
      Source: svchost.exe, 0000000A.00000000.1205469368.000001E009C45000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3034480105.000001E009C40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabmhx
      Source: svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3032939785.000001E009C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205403092.000001E009C2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D9749.10.dr, FB0D848F74F70BB2EAA93746D24D97490.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
      Source: svchost.exe, 0000000A.00000002.3066671019.000001E00A7D1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?27dcbe9d358ea
      Source: svchost.exe, 0000000A.00000002.3032939785.000001E009C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205323632.000001E009C13000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cabD
      Source: svchost.exe, 0000000A.00000003.1254803450.000001E00A797000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3064388466.000001E00A79B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?27dcbe9d35
      Source: lsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
      Source: lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
      Source: lsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
      Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E867000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-07/schema#
      Source: svchost.exe, 00000016.00000002.3087703961.0000020ABD8A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://manifests.mic
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340458852.0000015AB6CC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8h
      Source: svchost.exe, 0000000A.00000000.1205728477.000001E009CA1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuN
      Source: lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170102054.0000021B2669B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3032667377.0000021B26671000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3033476680.0000021B26699000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F10000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3051677074.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26EBA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170055743.0000021B26671000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
      Source: lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0Q
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F10000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://oneocsp.microso
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pki.in?=VS
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1342165387.0000015AB7475000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pki.intel.com/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340458852.0000015AB6CC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pki.intel.com/crl/IntelCA7B.crl
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1342165387.0000015AB7475000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6F90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pki.intel.com/crl/IntelCA7B.crl0f
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1342165387.0000015AB7475000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6F90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pki.intel.com/crt/IntelCA7B.crt0
      Source: qmgr.db.9.drString found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
      Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
      Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
      Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
      Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Win32
      Source: svchost.exe, 00000018.00000000.1293079967.0000015151070000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
      Source: lsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
      Source: lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E732000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E732000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E732000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
      Source: lsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
      Source: lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: lsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
      Source: lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
      Source: lsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
      Source: qmgr.db.9.drString found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
      Source: qmgr.db.9.drString found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
      Source: qmgr.db.9.drString found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/:NetNamedPipeBinding
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ID3DService/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ID3DService/DeleteD3DDriverProfile
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ID3DService/DeleteD3DDriverProfileResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ID3DService/GetD3DSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ID3DService/GetD3DSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ID3DService/SetD3DSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ID3DService/SetD3DSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDSAService/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDSAService/GetDriverUpdateData
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDSAService/GetDriverUpdateDataResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDisplayService/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDisplayService/GetDisplaySettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDisplayService/GetDisplaySettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDisplayService/SetDisplaySettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IDisplayService/SetDisplaySettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPing/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPing/PingDouble
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPing/PingDoubleResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPing/PingInt
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPing/PingIntResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPing/PingStr
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPing/PingStrResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPowerService/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPowerService/GetPowerSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPowerService/GetPowerSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPowerService/SetPowerSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IPowerService/SetPowerSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IRegistryService/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IRegistryService/GetRegDriverInfo
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IRegistryService/GetRegDriverInfoResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ISystemService/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ISystemService/GetSystemSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ISystemService/GetSystemSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ISystemService/SetSystemSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ISystemService/SetSystemSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IVideoService/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IVideoService/GetVideoSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IVideoService/GetVideoSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IVideoService/SetVideoSettings
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IVideoService/SetVideoSettingsResponse
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/X
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
      Source: lsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171411489.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3060206251.0000021B27000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: svchost.exe, 00000027.00000002.3041694921.000001BB714C7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.1329995579.000001BB714C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
      Source: svchost.exe, 00000027.00000002.3041694921.000001BB714C7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.1329995579.000001BB714C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nlog-project.org/schemas/NLog.xsd
      Source: lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820781754.000001D689D0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820378582.000001D689C9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3104642794.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1213430790.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6FAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: svchost.exe, 00000005.00000002.3064539477.00000240EB243000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=
      Source: hades.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
      Source: svchost.exe, 00000016.00000000.1285534639.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1324136377.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.22.drString found in binary or memory: https://g.live.com/odclientsettings/Prod
      Source: qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
      Source: svchost.exe, 00000016.00000000.1285534639.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1324136377.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.22.drString found in binary or memory: https://g.live.com/odclientsettings/ProdC:
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Configuration-file#variables
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Layout-Renderers
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Targets
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/nlog/wiki/Configuration-file
      Source: qmgr.db.9.drString found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E867000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nlog-project.org/
      Source: lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820781754.000001D689D0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820378582.000001D689C9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3104642794.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1213430790.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0D
      Source: svchost.exe, 00000005.00000002.3066283169.00000240EB25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1178749041.00000240EB25F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://spclient.wg.spotify.com/v1/live-tile-xml?region=
      Source: svchost.exe, 00000005.00000002.3034400131.00000240EA813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3071757513.00000240EB2E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.cn/shellRESP
      Source: svchost.exe, 00000005.00000002.3034400131.00000240EA813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3071757513.00000240EB2E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com/shell
      Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.22.drString found in binary or memory: https://wns2-ch1p.notify.windows.com/?token=AwYAAAA0tIv%2fKUIv3tper7g4NmjPPRDD0C5Bh0RTB8YXBLjQFxugt0
      Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.22.drString found in binary or memory: https://wns2-ch1p.notify.windows.com/?token=AwYAAACBIgRjPVqQ2CTepCl3R%2brNfLfQtPGKPf0Eg7IvqRlUVtlpb7
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E867000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
      Source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_224befd3-f
      Source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_d709bae4-4
      Source: Yara matchFile source: 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: hades.exe PID: 8264, type: MEMORYSTR
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAF5B60 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetModuleHandleW,FormatMessageW,GetLastError,0_2_00007FF7CDAF5B60
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAD5AC00_2_00007FF7CDAD5AC0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDADEF000_2_00007FF7CDADEF00
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAD55000_2_00007FF7CDAD5500
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAD2A500_2_00007FF7CDAD2A50
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDADFA900_2_00007FF7CDADFA90
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAD1E600_2_00007FF7CDAD1E60
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAD49200_2_00007FF7CDAD4920
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAE38D00_2_00007FF7CDAE38D0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAE34C00_2_00007FF7CDAE34C0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEB2500_2_00007FF7CDAEB250
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEB8200_2_00007FF7CDAEB820
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAECE200_2_00007FF7CDAECE20
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEC6800_2_00007FF7CDAEC680
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEA6700_2_00007FF7CDAEA670
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAFFDD00_2_00007FF7CDAFFDD0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEABB00_2_00007FF7CDAEABB0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB05BA00_2_00007FF7CDB05BA0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB060000_2_00007FF7CDB06000
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB077F00_2_00007FF7CDB077F0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEC3F00_2_00007FF7CDAEC3F0
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAE3B500_2_00007FF7CDAE3B50
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAFEF500_2_00007FF7CDAFEF50
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEC9500_2_00007FF7CDAEC950
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB029400_2_00007FF7CDB02940
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAF6B300_2_00007FF7CDAF6B30
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEBF300_2_00007FF7CDAEBF30
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAD6D200_2_00007FF7CDAD6D20
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEBB200_2_00007FF7CDAEBB20
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAE9D200_2_00007FF7CDAE9D20
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAECB900_2_00007FF7CDAECB90
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAED1700_2_00007FF7CDAED170
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB003600_2_00007FF7CDB00360
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAF5B600_2_00007FF7CDAF5B60
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAEB5600_2_00007FF7CDAEB560
      Source: C:\Users\user\Desktop\hades.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\hades.exeProcess token adjusted: SecurityJump to behavior
      Source: hades.exe, 00000000.00000002.3041938638.000001409C31C000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hades.exe
      Source: hades.exe, 00000000.00000002.3100086552.000001409E640000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs hades.exe
      Source: hades.exe, 00000000.00000002.3088766792.000001409D9A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs hades.exe
      Source: hades.exe, 00000000.00000002.3072228016.000001409CF60000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs hades.exe
      Source: hades.exe, 00000000.00000002.3075527679.000001409D0C0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs hades.exe
      Source: hades.exe, 00000000.00000002.3059829424.000001409C920000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs hades.exe
      Source: hades.exe, 00000000.00000002.3074073179.000001409D070000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: {18A8B5B2-9D2F-4DB2-8307-196B5CC0CE6B}{9DE6F12F-0CB2-45E3-BAF1-FB0978255646}{22624CAC-FE50-451E-9261-E7F22AAB93EC}{5F72496A-514E-45FD-BF6C-21D75296EB78}{63C7DCCD-B53C-4A01-A9E3-30F6C38D793E}{8F5A098F-FE98-46EB-B2F6-859078D5E2F7}{E1236381-9522-4BB0-B0AB-AEF2CAB1205F}{10C4200A-0E69-40EA-8153-5F6ABB003C08}{E6B77E90-C966-4BC5-A29B-3EF9B2ADFFD1}{D2F983A5-5880-4964-B98F-67319C3625C4}{6E71D560-6E08-49E6-BF04-F94C85B54355}{3BE690E1-0665-430A-8F6D-89DDD4857989}{AB0BCAAD-7CC5-4CDA-A544-F858E7FF5B8D}{8AEE3B6E-E9A4-40B1-96EC-042F74EB8DCC}{0E7910B7-47A1-4EA8-AC71-63BD4126BF30}{59723693-A1CD-43FC-B4EC-CB48BDACF030}{73A8CA94-C105-4027-90FE-648F9D7B00ED}{9BD0B321-F521-46FA-9B06-0A5E6B0461C8}{A0B2DCF2-CBA3-4534-8EE2-D12D26ABB17B}{852EA32A-1D7A-49CC-8166-77B9DAEFBF7D}{9E248A91-7917-4105-BD0D-31E4965EC06E}{CCF7A2DD-43C3-4C6F-AB68-AF441163D0A0}{097A5E89-584D-4C58-B374-F31A68CA381D}{F83A0FCD-6D48-4714-8A38-D06D376AA7A0}{CECAF199-3F16-46C9-9F81-2905C16E0042}{8FFCB6B3-B3FF-401A-AD20-A5390AAA62B7}{A9C0CE5E-9A1A-47C9-82B6-538C880FDFF0}{8E412EFC-5B34-4C46-9BB4-71F7290EFE3F}FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyrightAcGenral.dllAcLayers.dllAcRes.dllAcSpecfc.dllAcWinRT.dllacwow64.dllAcXtrnal.dllKeyboardFilterShim.dllMasterShim.dlldepdetctuacdetctluadgmgt.dllluapriv.dllEMET.dllEMET64.dllLogExts.dllLogShim.dllInstallerDetectionSetupLayer.exeDXGUseWarpRenderingEntry.exeContainer32bitCompatModeEntry.exeNTDLL.DLLVERIFIER.DLLETW0 vs hades.exe
      Source: System.evtx.22.drBinary string: \Device\HarddiskVolume4\Windows\SysWOW64\tzutil.exe
      Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.22.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exed
      Source: Microsoft-Windows-TZUtil%4Operational.evtx.22.drBinary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1m
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: 4\Device\HarddiskVolume4\Windows\System32\spoolsv.exe
      Source: Microsoft-Windows-SMBServer%4Operational.evtx.22.drBinary string: computer WORKGROUP:\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe=
      Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.22.drBinary string: J\Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
      Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.22.drBinary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
      Source: Microsoft-Windows-TZUtil%4Operational.evtx.22.drBinary string: .\Device\HarddiskVolume2\EFI\Microsoft\Boot\BCD~
      Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.22.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe2
      Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.22.drBinary string: :\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe4
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe3
      Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.22.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeD
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe<
      Source: Microsoft-Windows-TZUtil%4Operational.evtx.22.drBinary string: C:\Device\HarddiskVolume4K
      Source: Microsoft-Windows-SMBServer%4Operational.evtx.22.drBinary string: \Device\NetbiosSmb
      Source: Microsoft-Windows-TZUtil%4Operational.evtx.22.drBinary string: C:\Device\HarddiskVolume4
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe=
      Source: System.evtx.22.drBinary string: \Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
      Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.22.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: 5\Device\HarddiskVolume4\Windows\System32\services.exe
      Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.22.drBinary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
      Source: Microsoft-Windows-TZUtil%4Operational.evtx.22.drBinary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1iceV
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe3
      Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.22.drBinary string: >\Device\HarddiskVolume4\Windows\System32\drivers\filetrace.sys
      Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.22.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeT_AH**
      Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.drBinary string: _\Device\HarddiskVolume4\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe
      Source: classification engineClassification label: mal60.evad.winEXE@5/73@1/2
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDAF5B60 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetModuleHandleW,FormatMessageW,GetLastError,0_2_00007FF7CDAF5B60
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8296:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8296:120:WilError_03
      Source: hades.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\hades.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: hades.exeString found in binary or memory: /Added module with hash: to REMAPPED_MODULES with base address: @
      Source: unknownProcess created: C:\Users\user\Desktop\hades.exe "C:\Users\user\Desktop\hades.exe"
      Source: C:\Users\user\Desktop\hades.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      Source: C:\Users\user\Desktop\hades.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
      Source: C:\Users\user\Desktop\hades.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\hades.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\hades.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\lsass.exeSection loaded: vaultsvc.dllJump to behavior
      Source: C:\Windows\System32\lsass.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\lsass.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: hades.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: hades.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: hades.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: hades.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: hades.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: hades.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: hades.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: hades.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: hades.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: msvcrt.pdbGCTL source: hades.exe, 00000000.00000002.3082370917.000001409D520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: bcrypt.pdb source: hades.exe, 00000000.00000002.3100591975.000001409E6C0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: rpcrt4.pdb source: hades.exe, 00000000.00000002.3087599460.000001409D930000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ucrtbase.pdb source: hades.exe, 00000000.00000002.3095095530.000001409DEF0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: msvcrt.pdb source: hades.exe, 00000000.00000002.3082370917.000001409D520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE6D0.tmp.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: rpcrt4.pdbUGP source: hades.exe, 00000000.00000002.3087599460.000001409D930000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: hades.pdb$ source: hades.exe
      Source: Binary string: bcryptprimitives.pdbUGP source: hades.exe, 00000000.00000002.3077875904.000001409D1F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: advapi32.pdb source: hades.exe, 00000000.00000002.3080252967.000001409D370000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: msvcp_win.pdb source: hades.exe, 00000000.00000002.3092003866.000001409DCA0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\acrord32_super_sbxd.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: hades.pdb source: hades.exe
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062.pdb source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: kernel32.pdb source: hades.exe, 00000000.00000002.3059829424.000001409C920000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error6;zE source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: combase.pdbUGP source: hades.exe, 00000000.00000002.3098799090.000001409E520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE6CF.tmp.pdb source: svchost.exe, 00000015.00000002.3032637872.0000021EA946C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1276455001.0000021EA946C000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ucrtbase.pdbUGP source: hades.exe, 00000000.00000002.3095095530.000001409DEF0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: cryptbase.pdbUGP source: hades.exe, 00000000.00000002.3102575581.000001409E7F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: bcrypt.pdbUGP source: hades.exe, 00000000.00000002.3100591975.000001409E6C0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: kernel32.pdbUGP source: hades.exe, 00000000.00000002.3059829424.000001409C920000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: sechost.pdb source: hades.exe, 00000000.00000002.3084632341.000001409D690000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdbTCDE&@ source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: D:\a01\_work\9\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hades.exe, 00000000.00000002.3101474642.000001409E750000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: ntdll.pdbUGP source: hades.exe, 00000000.00000002.3050162281.000001409C6D0000.00000040.00000001.00020000.00000000.sdmp
      Source: Binary string: apphelp.pdbUGP source: hades.exe, 00000000.00000002.3074073179.000001409D070000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: "@C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: sechost.pdbUGP source: hades.exe, 00000000.00000002.3084632341.000001409D690000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.errorI:zE source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: kernelbase.pdbUGP source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000015.00000000.1276351969.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3030543829.0000021EA9449000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: msvcp_win.pdbUGP source: hades.exe, 00000000.00000002.3092003866.000001409DCA0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: advapi32.pdbUGP source: hades.exe, 00000000.00000002.3080252967.000001409D370000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: cryptbase.pdb source: hades.exe, 00000000.00000002.3102575581.000001409E7F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: bcryptprimitives.pdb source: hades.exe, 00000000.00000002.3077875904.000001409D1F0000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: oleaut32.pdbUGP source: hades.exe, 00000000.00000002.3089490300.000001409DB20000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE6D1.tmp.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ntdll.pdb source: hades.exe, 00000000.00000002.3050162281.000001409C6D0000.00000040.00000001.00020000.00000000.sdmp
      Source: Binary string: combase.pdb source: hades.exe, 00000000.00000002.3098799090.000001409E520000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000015.00000000.1276309286.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3029607640.0000021EA942A000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: oleaut32.pdb source: hades.exe, 00000000.00000002.3089490300.000001409DB20000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: apphelp.pdb source: hades.exe, 00000000.00000002.3074073179.000001409D070000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000015.00000000.1276422011.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3031933411.0000021EA9457000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: kernelbase.pdb source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmp
      Source: hades.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: hades.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: hades.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: hades.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: hades.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Persistence and Installation Behavior

      barindex
      Installs new ROOT certificates
      Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
      Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
      Source: C:\Windows\System32\lsass.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimitsJump to behavior
      Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Tries to delay execution (extensive OutputDebugStringW loop)
      Source: C:\Users\user\Desktop\hades.exeSection loaded: OutputDebugStringW count: 1984
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeWindow / User API: threadDelayed 7894Jump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 3144Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 3144Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7124Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe TID: 3104Thread sleep count: 7894 > 30Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe TID: 3104Thread sleep count: 100 > 30Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe TID: 3120Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe TID: 3120Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe TID: 3120Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 30000Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeThread delayed: delay time: 30000Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeThread delayed: delay time: 30000Jump to behavior
      Source: lsass.exe, 00000004.00000000.1170231533.0000021B266A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
      Source: svchost.exe, 00000005.00000000.1177850145.00000240EAA35000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat
      Source: svchost.exe, 00000016.00000000.1280331515.0000020ABC840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3035566183.0000020ABC840000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
      Source: lsass.exe, 00000004.00000000.1170231533.0000021B266A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
      Source: svchost.exe, 00000005.00000002.3068023445.00000240EB26E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
      Source: svchost.exe, 00000005.00000002.3068023445.00000240EB26E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: svchost.exe, 00000008.00000002.3030161534.000002E09CC2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1197674162.000002E09CC2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820175101.000001D689C86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2818277444.000001D687E2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3033669706.000001E009C2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1824282984.000001E00A789000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1825641229.000001E00A78A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: svchost.exe, 00000025.00000002.3029796273.000002CDA9800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
      Source: lsass.exe, 00000004.00000000.1170231533.0000021B266A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
      Source: svchost.exe, 00000005.00000000.1177850145.00000240EAA35000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicshutdown
      Source: hades.exe, 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
      Source: lsass.exe, 00000004.00000000.1170231533.0000021B266A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdownLMEM
      Source: svchost.exe, 00000008.00000002.3030161534.000002E09CC2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1197674162.000002E09CC2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
      Source: lsass.exe, 00000004.00000000.1170231533.0000021B266A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeatLMEM 8
      Source: svchost.exe, 00000005.00000000.1177850145.00000240EAA35000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicshutdown
      Source: lsass.exe, 00000004.00000002.3029890441.0000021B26613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169904070.0000021B26613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205403092.000001E009C2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.1205149360.000002413BE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3026165724.000002413BE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3031564637.0000019AC2224000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1251164340.0000019AC2224000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1253329719.000002BAEEA29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3026566836.000002BAEEA29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1260646173.000002603466B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3036083290.000002603466B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: svchost.exe, 00000005.00000000.1177850145.00000240EAA35000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
      Source: svchost.exe, 00000005.00000002.3068023445.00000240EB26E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: OneApp.IGCC.WinService.exe, 00000028.00000000.1340458852.0000015AB6CC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS
      Source: C:\Users\user\Desktop\hades.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB05634 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7CDB05634
      Source: C:\Users\user\Desktop\hades.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB05634 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7CDB05634
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CDC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CE70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CE80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CE90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CEA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CEB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CEC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CED0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CEE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CEF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CF90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CFA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CFB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E9CFC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26D90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26DA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26DB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26DC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26DD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26DE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B26DF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27200000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27210000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27220000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27230000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27240000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27250000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27260000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27270000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27280000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27290000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B272A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B272B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B272C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B272D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B272E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B272F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27300000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27310000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27320000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27330000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27340000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27350000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27360000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\lsass.exe base: 21B27370000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EB9E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EB9F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBE90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBEA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBEB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBEC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBED0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBEE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBEF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBF90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBFA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBFB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBFC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBFD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBFE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EBFF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC000000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC010000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC020000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC030000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC040000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC050000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC060000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC070000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC080000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC090000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC0A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC0B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC0C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC0D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC0E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC0F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC100000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC110000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC120000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC130000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC140000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC150000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC160000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC170000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC180000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC190000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC1A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC1B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC1C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC1D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC1E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC1F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC200000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC210000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC220000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC230000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC240000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC250000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC260000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC270000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC280000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC290000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC2A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC2B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC2C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC2D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC2E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC2F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC300000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC310000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC320000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC330000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 240EC340000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08BD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08BE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08BF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08C90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08CA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 28B08CB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D268F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27BD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27BE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27BF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27C90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 19D27CA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D4D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D570000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D5F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D800000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D810000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D820000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D830000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D840000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D850000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D860000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D870000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D890000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D8A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D8B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D8C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D8D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D8E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D8F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D900000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D910000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D920000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D930000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D940000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D950000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D960000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D970000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D980000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D590000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D5C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D990000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D9A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D9B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D9C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D9D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D9E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09D9F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09DA00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09DA10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E09DA20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CB60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CB70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CB80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CB90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CBA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CBB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CBC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CBD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CBE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CBF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CC90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CCA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CCB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CCC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2413CCD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7420000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7430000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7440000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7460000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7470000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7480000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7490000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC74A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC74B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC74D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7530000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7540000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7570000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7580000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7590000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC75A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC75B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC75C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC75D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC75E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC75F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7600000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7610000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7620000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7630000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7640000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7650000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7660000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7670000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7680000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7690000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC76A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC76B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC76C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC76D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC76E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC76F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7700000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7710000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7720000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7730000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7740000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7750000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7760000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7840000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7850000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7860000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7870000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7880000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7890000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC78A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC78B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC78C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC78D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC78E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC78F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7900000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7910000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7920000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7930000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7940000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7950000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7960000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7970000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7980000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7990000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC79A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC79B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC79C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC79D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC79E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC79F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A60000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26CC7A80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD3BD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD3BE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD3BF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD43A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD43B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD43C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD43D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD43E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD43F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD4940000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD4950000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD4960000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD4970000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD4980000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AD4990000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2A70000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2A80000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2A90000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2AA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2AB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2AC0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2AD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2AE0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2AF0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2B00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2B10000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2B20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2B30000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2B40000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19AC2B50000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF360000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF370000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF380000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF390000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF3A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF3B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF3C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF3D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF3E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF3F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF940000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF950000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF960000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF970000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BAEF980000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F080000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F090000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F0A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F0B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F0C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F0D0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F0E0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F0F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F100000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F110000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F120000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD9F130000 protect: page execute and read and writeJump to behavior
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Users\user\Desktop\hades.exeNtQuerySystemInformation: Direct from: 0x7FF7CDADD527Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtClose: Direct from: 0x7FF9A68B688C
      Source: C:\Users\user\Desktop\hades.exeNtDeviceIoControlFile: Direct from: 0x7FF7CDAF644BJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtResumeThread: Direct from: 0x7FF7CDADDC81Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtClose: Direct from: 0x7FF9A68B9B73
      Source: C:\Users\user\Desktop\hades.exeNtAllocateVirtualMemory: Direct from: 0x7FF7CDAD7A6DJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtAllocateVirtualMemory: Direct from: 0x7FF7CDB06B44Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtDeviceIoControlFile: Direct from: 0x7FF7CDAF60EAJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtQuerySystemInformation: Direct from: 0x7FF7CDADDDD6Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtProtectVirtualMemory: Direct from: 0x7FF7CDADA771Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtDelayExecution: Direct from: 0x7FF9A68B5023Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtClose: Direct from: 0x7FF7CDADB85C
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtSetTimerEx: Direct from: 0x7FF9B9A22651Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtResumeThread: Direct from: 0x7FF9A68B89C9Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtAllocateVirtualMemory: Direct from: 0x7FF9B9A44B1EJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtMapViewOfSection: Direct from: 0x7FF7CDADDE75Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtSetTimerEx: Direct from: 0x7FF9A68B8A6BJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtUnmapViewOfSection: Direct from: 0x7FF7CDADD5B4Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtWriteVirtualMemory: Direct from: 0x7FF7CDADE1C3Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtAllocateVirtualMemory: Direct from: 0x7FF7CDADAD00Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtQuerySystemInformation: Direct from: 0x7FF9A68B649DJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtAllocateVirtualMemory: Direct from: 0x7FF7CDAD288BJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtUnmapViewOfSection: Direct from: 0x7FF7CDADD674Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtProtectVirtualMemory: Direct from: 0x7FF7CDADB077Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtQuerySystemInformation: Direct from: 0x7FF9A68B8916Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtUnmapViewOfSection: Direct from: 0x7FF7CDAD8394Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtReadVirtualMemory: Direct from: 0x7FF7CDADE661Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtUnmapViewOfSection: Direct from: 0x7FF7CDADDE4DJump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtSuspendThread: Direct from: 0x7FF7CDADD6A6Jump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtDelayExecution: Direct from: 0x7FF9A68B9E2DJump to behavior
      Source: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exeNtQueueApcThread: Direct from: 0x7FF9A68BA0A6Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtClose: Direct from: 0x7FF7CDADDC8A
      Source: C:\Users\user\Desktop\hades.exeNtUnmapViewOfSection: Direct from: 0x7FF7CDAD7A97Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtWriteVirtualMemory: Direct from: 0x7FF7CDADE7F1Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeNtMapViewOfSection: Indirect: 0x7FF7CDADA23EJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CDC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CDC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CE90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CE90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CEC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CEC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CEF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CEF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CF40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CF40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CF70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CF70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CFA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\winlogon.exe base: 19E9CFA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26D00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26D00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26D40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26D40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26D70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26D70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26DA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26DA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26DD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B26DD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27200000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27200000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27230000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27230000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27260000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27260000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27290000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27290000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B272C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B272C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B272F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B272F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27320000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27320000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27350000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\lsass.exe base: 21B27350000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EB9E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EB9E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBE10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBE10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBE40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBE40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBE70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBE70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBEA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBEA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBED0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBED0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBF90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBFC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBFC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBFF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EBFF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC020000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC020000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC050000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC050000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC080000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC080000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC0B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC0B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC0E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC0E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC110000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC110000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC140000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC140000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC170000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC170000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC1A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC1A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC1D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC1D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC200000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC200000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC230000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC230000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC260000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC260000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC290000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC290000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC2C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC2C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC2F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC2F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC320000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 240EC320000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 28B08C90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D268F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D268F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27BF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27BF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27C20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27C20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27C50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27C50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27C80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 19D27C80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D4D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D4D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D800000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D800000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D830000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D830000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D860000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D860000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D8A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D8A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D8D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D8D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D900000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D900000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D930000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D930000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D960000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D960000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D590000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D590000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D9A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D9A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D9D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09D9D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09DA00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2E09DA00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CB60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CB60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CB90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CB90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CBC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CBC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CBF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CBF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CC20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CC20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CC50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CC50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CC80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CC80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CCB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2413CCB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7420000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7420000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7460000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7460000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7490000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7490000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC74D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC74D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7570000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7570000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC75A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC75A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC75D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC75D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7600000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7600000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7630000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7630000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7660000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7660000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7690000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7690000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC76C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC76C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC76F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC76F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7720000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7720000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7750000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7750000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7850000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7850000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7880000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7880000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC78B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC78B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC78E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC78E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7910000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7910000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7940000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7940000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7970000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7970000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC79A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC79A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC79D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC79D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7A00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7A00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7A30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7A30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7A60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\dwm.exe base: 26CC7A60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD3BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD3BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD43A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD43A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD43D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD43D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD4940000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD4940000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD4970000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 27AD4970000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2A70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2A70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2AA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2AA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2AD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2AD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2B00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2B00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2B30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19AC2B30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF360000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF360000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF390000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF390000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF3C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF3C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF3F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF3F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF960000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 2BAEF960000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F080000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F080000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F0B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F0B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F0E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F0E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F110000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F110000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F140000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD9F140000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26034FC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26034FC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26034FF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26034FF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035560000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035560000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035590000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035590000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 260355C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 260355C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 260355F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 260355F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035A20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035A20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035A50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035A50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035A80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035A80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035AB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035AB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035AE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035AE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035B10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035B10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035B40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035B40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035B70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035B70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035BA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035BA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035C00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035C00000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035C30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035C30000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035C60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26035C60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF286D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF286D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF28730000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF28730000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF28760000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF28760000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF28790000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF28790000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF287C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF287C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF290E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF290E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF29110000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1DF29110000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6AD5F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6AD5F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADB60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADB60000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADB90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADB90000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADBC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADBC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADBF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADBF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADC20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADC20000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADC50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADC50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADC80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6ADC80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 226174C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 226174C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 226174F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 226174F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 22617520000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 22617520000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 22617550000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 22617550000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EA9D80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EA9D80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EA9DB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EA9DB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EA9DE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EA9DE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EAA490000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EAA490000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EAA4C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EAA4C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EAA4F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21EAA4F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABC7F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABC7F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD290000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD290000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD2C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD2C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD2F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD2F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD320000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD320000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD350000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD350000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD380000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD380000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD3B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD3B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD3E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABD3E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF210000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF210000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF240000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF240000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF270000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF270000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF2A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF2A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF2D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF2D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF300000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 20ABF300000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1137B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1137B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1137E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1137E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113E50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113E50000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113E80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113E80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113EB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113EB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113EE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113EE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113F10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1B113F10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151600000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151600000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151630000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151630000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151660000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151660000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151690000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151690000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151516C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151516C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151516F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151516F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151720000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151720000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151750000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151750000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151780000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 15151780000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151517B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151517B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151517E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 151517E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 236889C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 236889C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 23689590000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 23689590000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 236895C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 236895C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 236895F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 236895F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 23689620000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 23689620000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 23689650000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 23689650000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA1A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA1A0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA1D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA1D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA200000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA200000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA230000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA230000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA260000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA260000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA6E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA6E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA710000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 245CA710000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F50D80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F50D80000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F50DB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F50DB0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F50DE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F50DE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F515B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 19F515B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F834BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F834BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835000000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835000000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835030000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835030000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835060000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835060000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835090000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F835090000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8350C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8350C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 263817F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 263817F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26381FF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26381FF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382220000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382220000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382250000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382250000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382280000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382280000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 263822B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 263822B0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 263822E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 263822E0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382310000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382310000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382340000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26382340000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7E7C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7E7C0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7E7F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7E7F0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7EFC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7EFC0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7EFF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 29A7EFF0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010AE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010AE0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010B10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010B10000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010B40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010B40000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010B70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010B70000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010BA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010BA0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 26010BD0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A2D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A2D0000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A300000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A300000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A330000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A330000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A360000Jump to behavior
      Source: C:\Users\user\Desktop\hades.exeMemory written: C:\Windows\System32\svchost.exe base: 21E5A360000Jump to behavior
      Source: winlogon.exe, 00000003.00000000.1166770255.0000019E9D311000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000003.00000002.3059172163.0000019E9D310000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000002.3104642794.0000026CC1310000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: winlogon.exe, 00000003.00000000.1166770255.0000019E9D311000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000003.00000002.3059172163.0000019E9D310000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000000.1211462196.0000026CBF160000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: winlogon.exe, 00000003.00000000.1166770255.0000019E9D311000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000003.00000002.3059172163.0000019E9D310000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000000.1211462196.0000026CBF160000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\hades.exeCode function: 0_2_00007FF7CDB0550C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7CDB0550C
      Source: svchost.exe, 00000016.00000002.3094196320.0000020ABDACB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1320090269.0000020ABDACB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1317228899.0000020ABDACB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1284059724.0000020ABDACB000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.22.drBinary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpEng.exe

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Command and Scripting Interpreter      		1
      Windows Service      		1
      Windows Service      		1
      Masquerading      		21
      Input Capture      		1
      System Time Discovery      		Remote Services21
      Input Capture      		2
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver      		22
      Process Injection      		1
      Modify Registry      		LSASS Memory41
      Security Software Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      Abuse Elevation Control Mechanism      		1
      Disable or Modify Tools      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      LSASS Driver      		141
      Virtualization/Sandbox Evasion      		NTDS141
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput Capture2
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
      DLL Side-Loading      		22
      Process Injection      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Abuse Elevation Control Mechanism      		Cached Domain Credentials23
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Install Root Certificate      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://oneocsp.microso0%Avira URL Cloudsafe
      http://www.nlog-project.org/schemas/NLog.xsd0%Avira URL Cloudsafe
      http://schemas.datacontract.org0%Avira URL Cloudsafe
      https://nlog-project.org/0%Avira URL Cloudsafe
      http://ocsp.sectigo.com00%Avira URL Cloudsafe
      http://schemas.datacontract.org/2004/07/0%Avira URL Cloudsafe
      http://crl.ver)0%Avira URL Cloudsafe
      http://schemas.micro0%Avira URL Cloudsafe
      http://manifests.mic0%Avira URL Cloudsafe
      http://www.quovadis.bm00%Avira URL Cloudsafe
      https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
      http://schemas.datacontract.org/2004/07/Microsoft.Win320%Avira URL Cloudsafe
      http://crl.mi0%Avira URL Cloudsafe
      http://pki.in?=VS0%Avira URL Cloudsafe
      http://crl.v0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        pki-goog.l.google.com
        		74.125.139.94
        		truefalse
          		high
          c.pki.goog
          		unknown
          		unknownfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://tempuri.org/ISystemService/SetSystemSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              http://tempuri.org/IDisplayService/GetDisplaySettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                https://wns2-ch1p.notify.windows.com/?token=AwYAAACBIgRjPVqQ2CTepCl3R%2brNfLfQtPGKPf0Eg7IvqRlUVtlpb7Microsoft-Windows-PushNotification-Platform%4Operational.evtx.22.drfalse
                  		high
                  http://www.nlog-project.org/schemas/NLog.xsdOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.datacontract.orgOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://OCSP.intel.com//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xOneApp.IGCC.WinService.exe, 00000028.00000000.1340458852.0000015AB6CC0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3050346749.0000015AB6D30000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/ID3DService/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/IDisplayService/GetDisplaySettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/IPowerService/GetPowerSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/IVideoService/GetVideoSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://nlog-project.org/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E867000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://c.pki.goog/r/r1.crlsvchost.exe, 0000000A.00000000.1205728477.000001E009CA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3039473296.000001E009CA1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3057611270.000001E00A749000.00000004.00000001.00020000.00000000.sdmp, 05DDC6AA91765AACACDB0A5F96DF8199.10.drfalse
                                  		high
                                  http://oneocsp.microsolsass.exe, 00000004.00000002.3054676757.0000021B26EED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000003.1295721219.0000021B26F10000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1171031830.0000021B26EED000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/IVideoService/GetVideoSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://pki.intel.com/crl/IntelCA7B.crl0fOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1342165387.0000015AB7475000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6F90000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/IRegistryService/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/:NetNamedPipeBindingOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/ID3DService/DeleteD3DDriverProfileResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E732000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/ISystemService/SetSystemSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://g.live.com/odclientsettings/Prodsvchost.exe, 00000016.00000000.1285534639.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1324136377.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.22.drfalse
                                                    		high
                                                    http://pki.intel.com/crl/IntelCA7B.crlOneApp.IGCC.WinService.exe, 00000028.00000000.1340458852.0000015AB6CC0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.datacontract.org/2004/07/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl.ver)svchost.exe, 00000009.00000003.2515361191.000001D689C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2819728692.000001D689C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://tempuri.org/ISystemService/GetSystemSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/IPing/PingStrResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/ID3DService/GetD3DSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/ISystemService/GetSystemSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.nuget.org/packages/NLog.Web.AspNetCoreOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E867000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://g.live.com/odclientsettings/ProdC:svchost.exe, 00000016.00000000.1285534639.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1324136377.0000020ABDE74000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.22.drfalse
                                                                  		high
                                                                  http://manifests.micsvchost.exe, 00000016.00000002.3087703961.0000020ABD8A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/IPowerService/SetPowerSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.quovadis.bm0lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820781754.000001D689D0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820378582.000001D689C9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3104642794.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1213430790.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6FAD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/IDSAService/GetDriverUpdateDataOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/ID3DService/SetD3DSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/IDSAService/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/IPing/PingIntOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://windows.msn.com/shellsvchost.exe, 00000005.00000002.3034400131.00000240EA813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3071757513.00000240EB2E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://ocsp.sectigo.com0OneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://tempuri.org/IPowerService/GetPowerSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://wns2-ch1p.notify.windows.com/?token=AwYAAAA0tIv%2fKUIv3tper7g4NmjPPRDD0C5Bh0RTB8YXBLjQFxugt0Microsoft-Windows-PushNotification-Platform%4Operational.evtx.22.drfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/soap/envelope/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://docs.rs/getrandom#nodejs-es-module-supporthades.exefalse
                                                                                            		high
                                                                                            http://tempuri.org/IVideoService/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://c.pki.goog:80/r/r1.crlsvchost.exe, 0000000A.00000003.1254803450.000001E00A797000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3064388466.000001E00A79B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/IVideoService/SetVideoSettingsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.microsvchost.exe, 00000018.00000000.1293079967.0000015151070000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/IDisplayService/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.datacontract.org/2004/07/Microsoft.Win32OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/IPing/PingDoubleOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://pki.intel.com/OneApp.IGCC.WinService.exe, 00000028.00000000.1342165387.0000015AB7475000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/ID3DService/SetD3DSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://sectigo.com/CPS0DOneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://windows.msn.cn/shellRESPsvchost.exe, 00000005.00000002.3034400131.00000240EA813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3071757513.00000240EB2E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000004.00000000.1170003844.0000021B26650000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000002.3031637808.0000021B26650000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/ID3DService/DeleteD3DDriverProfileOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/nlog/nlog/wiki/Configuration-fileOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://ocsp.quovadisoffshore.com0lsass.exe, 00000004.00000002.3051677074.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1170851675.0000021B26E4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820781754.000001D689D0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2820378582.000001D689C9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3038630843.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1205672066.000001E009C86000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.3104642794.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000C.00000000.1213430790.0000026CC1310000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E732000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/IPowerService/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/IRegistryService/GetRegDriverInfoOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/IRegistryService/GetRegDriverInfoResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://json-schema.org/draft-07/schema#OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E867000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000004.00000002.3030761211.0000021B2662E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000004.00000000.1169952070.0000021B2662E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/IPing/PingStrOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/xOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E703000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://github.com/nlog/NLog/wiki/TargetsOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://tempuri.org/IDisplayService/SetDisplaySettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://pki.in?=VSOneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://tempuri.org/IPing/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/nlog/NLog/wiki/Configuration-file#variablesOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/IVideoService/SetVideoSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://pki.intel.com/crt/IntelCA7B.crt0OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1342165387.0000015AB7475000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6F90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://crl.misvchost.exe, 0000000A.00000000.1205626042.000001E009C74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3037794452.000001E009C74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tOneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://g.live.com/odclientsettings/Prod/C:qmgr.db.9.drfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/ID3DService/GetD3DSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/IPing/PingIntResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#OneApp.IGCC.WinService.exe, 00000028.00000000.1342062576.0000015AB72B0000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://tempuri.org/XOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://spclient.wg.spotify.com/v1/live-tile-xml?region=svchost.exe, 00000005.00000002.3066283169.00000240EB25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1178749041.00000240EB25F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://tempuri.org/IDSAService/GetDriverUpdateDataResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spnOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E732000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/IPowerService/SetPowerSettingsResponseOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://crl.vOneApp.IGCC.WinService.exe, 00000028.00000000.1340862645.0000015AB6F5D000.00000004.00000001.00020000.00000000.sdmp, OneApp.IGCC.WinService.exe, 00000028.00000002.3068720863.0000015AB6FB1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://github.com/nlog/NLog/wiki/Layout-RenderersOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E77C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://tempuri.org/ISystemService/OneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E51E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/soap/actor/nextOneApp.IGCC.WinService.exe, 00000028.00000000.1338240129.0000015A9E6BE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high

                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                      Public IPs

                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                      74.125.139.94
                                                                                                                                                                                      		pki-goog.l.google.comUnited States
                                                                                                                                                                                      		15169GOOGLEUSfalse

                                                                                                                                                                                      Private

                                                                                                                                                                                      IP
                                                                                                                                                                                      127.0.0.1

                                                                                                                                                                                      General Information

                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                      Analysis ID:1577085
                                                                                                                                                                                      Start date and time:2024-12-18 00:30:51 +01:00
                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                      Overall analysis duration:0h 9m 58s
                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                      Report type:full
                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                                                      Run name:Run with higher sleep bypass
                                                                                                                                                                                      Number of analysed new started processes analysed:10
                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                      Number of injected processes analysed:31
                                                                                                                                                                                      Technologies:
                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                      Sample name:hades.exe
                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                      Classification:mal60.evad.winEXE@5/73@1/2
                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                      HCA Information:Failed
                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                                      Warnings

                                                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SgrmBroker.exe, svchost.exe
                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 199.232.210.172, 23.197.166.163
                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-b-net.trafficmanager.net
                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                                                                                                      • VT rate limit hit for: hades.exe

                                                                                                                                                                                      Simulations

                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                      No simulations

                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                      IPs

                                                                                                                                                                                      No context

                                                                                                                                                                                      Domains

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      bg.microsoft.map.fastly.nethttps://pdf-ezy.com/pdf-ezy.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                      Harrisassoc_Updated_Workplace_Policies_and_Compliance_Guidelines.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                      support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                      5.msiGet hashmaliciousDanaBot, NitolBrowse
                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                      file.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                      https://garfieldthecat.tech/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                      lavita.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                      mjjt5kTb4o.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                      uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                      Clienter.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 199.232.210.172

                                                                                                                                                                                      ASNs

                                                                                                                                                                                      No context

                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                      No context

                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                      No context

                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):8192
                                                                                                                                                                                      Entropy (8bit):0.3599130113691179
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:+SAI77eaaD0JcaaD0JwQQAKSAI77eaaD0JcaaD0JwQQA:yI77etgJctgJwlI77etgJctgJw
                                                                                                                                                                                      MD5:6392E749087750C619B28C674473B996
                                                                                                                                                                                      SHA1:DE33774F94EC8C968A49D8188FCBCD09BC63ECED
                                                                                                                                                                                      SHA-256:9E4E6E5AAE2BCFB52099CF307BBF20E844A3059CD31D6A5FFE2560AE2E2601B6
                                                                                                                                                                                      SHA-512:9CE396499E6B662E84FD73308B4BA31A8708AA5C17B2D7E28A7F21E1E6A47F4714E5BF200F40BDF3EF35041A108DDF32EE1E1B7CF8318E3D36602F6A347A4AD7
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:..U...........4.......).*9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................4.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                      Entropy (8bit):0.13680000791139132
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:mJHL7HbahIfcjcidIiBysHciXBs78MmhRht43mKdyrf6YM5e:mJP74rzc8Myr43mNrf6YM5e
                                                                                                                                                                                      MD5:C9170D2574DE514438EA8B896653EA25
                                                                                                                                                                                      SHA1:3ED5D967EC5F24772D588E1B1A7E73051172A02D
                                                                                                                                                                                      SHA-256:C2237E2ECE7DA2964969278C49921DF1C1FC150DBE9204EA3E539D140DDD7F3C
                                                                                                                                                                                      SHA-512:E58EFF9E618681B6201BDB4141C5DA5CD661D3C4F5F77ADC5568C44FFC122AD83A0B5A5151777057F6AD30C0996359A929809542728DB564B9CDA019FEFA6AB8
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:...........@..@.3...{g..*...yo.........<.....).*9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;..........v[.2}c}c.#.........`h.d...............h.<.....6.:......p..*9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa9cea79c, page size 16384, Windows version 10.0
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1048576
                                                                                                                                                                                      Entropy (8bit):0.8698004182775572
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:LSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:LapaQK0yfOD8F31Xw
                                                                                                                                                                                      MD5:1A983895DDFE3513CEFFD1B58B47B3C2
                                                                                                                                                                                      SHA1:46D158108BA4242440B242CE145386439F98529B
                                                                                                                                                                                      SHA-256:DE75DDC9D68F538D76EA8A31EFECE9B7B545ED15D6311454D23A376887117F7C
                                                                                                                                                                                      SHA-512:A6B7759A08C5A6C93300365D7EAE5F3B836D3884753AE88A2A2C4114EC0F3C7A1CDED2C999E0CAF4DB98D226CA0BC2C32541F898E16F952D62D8041541C6CA58
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:...... ................p..*9...y......................6.3......#...|...!...|..h.2......#...|..6.3...........).*9...y..........................................................................................................bJ......n....@...................................................................................................... ........................................................................................................................................................................................................................................................#...|...................*..#...|...........................#......6.3.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                      Entropy (8bit):0.08016679210206193
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:SXmcps3kvZpKL3qyoylttltlAu0illo0lJlbxvws:SXak9HYtXtNRL
                                                                                                                                                                                      MD5:3D5CE6CC9277E1D79864D667DEC5F83B
                                                                                                                                                                                      SHA1:8D5CAD22727A63240FE2D9640169D47A864C7D8F
                                                                                                                                                                                      SHA-256:77146B1A5B1CC0F10975E623E902B36A986766F4B9355E451327815324380E4E
                                                                                                                                                                                      SHA-512:8597708C9A181BD4C6218279F40041EEF642D87705E17FF71F7BB9798F57B0ADC33E073FF058ED258E5EEA288590304BD5A40048B105861A9A8A8D89B0EB1C9D
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:..,.....................................*9...y...!...|...#...|...........#...|...#...|..!.I..#...|...................*..#...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):170
                                                                                                                                                                                      Entropy (8bit):3.352387145227811
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:kkFklM+CW/IBtl3llJzllkll/SosdutQlhlRgPdetC1acNlj:kKP+rotlDls4HdlbmetC1J3j
                                                                                                                                                                                      MD5:CCE10C83F7A0506C613B8693C6468C1C
                                                                                                                                                                                      SHA1:D209C22D3350DF3A57B2825AF039898D2A0E2722
                                                                                                                                                                                      SHA-256:C08F1EAF7E291A89F2710A3C7A7BD45C63B3A28695AFE86AB3C523309245E4A8
                                                                                                                                                                                      SHA-512:D227597C3F510320256B2FB1AB696A82E9DB49C79A8B05CDF19BBBC05CA8992D81384BCA6BF77B9374633717F2E4E5B746BCB9131B34F7D1B438DE1DCA6905E3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:p...... ....6...@....P..(..................q................................... ...............................V...h.t.t.p.:././.c...p.k.i...g.o.o.g./.r./.r.1...c.r.l...

                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):340
                                                                                                                                                                                      Entropy (8bit):3.9988288449157428
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6:kK8K7KjWsG7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:EK7KiFLkPlE99SCQl2DUeXJlOA
                                                                                                                                                                                      MD5:0BC120DC4CAA7854126C8952A4B11327
                                                                                                                                                                                      SHA1:E312ECF05CA8D68EA2BC4FB473695FCE6FFF5C18
                                                                                                                                                                                      SHA-256:621BEE9163BBE88168671EE00DE145B20986E022F80B568ADB56C78AAE37B6D4
                                                                                                                                                                                      SHA-512:1B66FBEAC761E9A622B8E1BCE2D323FE73850074194F1DED8A9E07EEFF8FA008FEFD115FDCD15B7B4D6B50C3F86294CA717315611D926A62C351E35C9F9D47BF
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:p...... ........F....P..(...............wi...P..w._./Q..w....Q..........w._./Q.. ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:modified
                                                                                                                                                                                      Size (bytes):330
                                                                                                                                                                                      Entropy (8bit):3.4484600414623747
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6:kKxW8qa8uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:ZWlkPlE99Si1QyIeek
                                                                                                                                                                                      MD5:6CD305FBC798DC8F0A242F251F7A0E7E
                                                                                                                                                                                      SHA1:3646A4AC46B5FACC8B20EB1737CB7B64E45D8B91
                                                                                                                                                                                      SHA-256:D19F9B5730161544AC9BDEF56A59CDD047592B55AF0FD6F140AB0DEA0C38EE1A
                                                                                                                                                                                      SHA-512:18A6278552309283221166033BB145B6E5CD360F7714C656D51F4CCD54F723A3D2611C2D97FD56553147E964A8601BD5B95539CA665084E14184B5A9561B54F6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:p...... ........{....P..(...................................................:.. ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\lsass.exe
                                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                                      Category:modified
                                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                      MD5:93B885ADFE0DA089CDF634904FD59F71
                                                                                                                                                                                      SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                                                                                                                                                                                      SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                                                                                                                                                                                      SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:.

                                                                                                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):340
                                                                                                                                                                                      Entropy (8bit):3.9866473465331658
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6:kKqCPK7KjWsG7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:iCPK7KiFLkPlE99SCQl2DUeXJlOA
                                                                                                                                                                                      MD5:4BEB9614D5EF923BE0BFA109A6F8A2EC
                                                                                                                                                                                      SHA1:0A656D02CC18CF29A7E76AA036C8AFC6C778469F
                                                                                                                                                                                      SHA-256:F90376938480EF4107251727C0C5C1F17BC0A131201358CEADD466DD29638E8F
                                                                                                                                                                                      SHA-512:C68F3B168462925D951B2D1475274606BE8BD9055FBDD19FED11BC27DCBBA13206F2D9056E171090D51D1AE08F42C80F7D05A2BB19B85AC498AD45C062934942
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:p...... ........e...P..(...............wi...P..w._./Q..w....Q..........w._./Q.. ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):330
                                                                                                                                                                                      Entropy (8bit):3.4484600414623747
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6:kKc48qa8uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:E4lkPlE99Si1QyIeek
                                                                                                                                                                                      MD5:911939B90882E03859EBE0E05E7719CE
                                                                                                                                                                                      SHA1:57F4D7A6349E5E349E060BEB10D006CADAF17C99
                                                                                                                                                                                      SHA-256:47454AC5CEA0323AE7FC899E736544B3CE543862BFA92C6182C3FAB4BA6A675B
                                                                                                                                                                                      SHA-512:3AFA8D86265CFCB0CA21CBD7B3F2600847B25B2190740F02527ADE9F4EC8BD11C2DC461CA8B42471E2F3F6418A819E83BD458DA60CC5B0AC565986F5B06F0211
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:p...... ............P..(...................................................:.. ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

                                                                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):55
                                                                                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                      C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                      Category:modified
                                                                                                                                                                                      Size (bytes):4680
                                                                                                                                                                                      Entropy (8bit):3.7110326174739963
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:pYMguQII4ieJ6h4aGdinipV9ll7UY5HAmzQ+:9A4u/xne7HO+
                                                                                                                                                                                      MD5:6FB9BF7B165310878986EB78F09154D4
                                                                                                                                                                                      SHA1:2E23DC9E5232AA1BDA97DCA62E6DB129620D2ADA
                                                                                                                                                                                      SHA-256:91736540EF17D49CD935C69185BFA4E9EEF6E49DE91BBEBB273D59B457614CCA
                                                                                                                                                                                      SHA-512:AF2D1D78BDA35CD16FE829176BA8CB224CFE58689CC7ECF84D6D163445B7519BF0BAC21C89BBBF5364671535847702AFE7B2EC75BDB20622196F6B98FF094D96
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Application.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4096
                                                                                                                                                                                      Entropy (8bit):3.569512854423509
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:M+75DWiwrP+sXCrPwfFRVEfWb3/OoNto0yTL3W+KhPFDS2zd:l75DwCrup/vOororLGdRFjzd
                                                                                                                                                                                      MD5:F0F36EF3B27BB22AE50DC06426291F8F
                                                                                                                                                                                      SHA1:E47041E7246F82C42A116AB38D315874755F7D24
                                                                                                                                                                                      SHA-256:B07A4DDDC5527A2114D8AB0B190B4B6A2BE7729868B920CADCEDC3A870A633EB
                                                                                                                                                                                      SHA-512:B2014CEC2BA1DAC8BC6E968E1536EBA40E1C82E63D811A68CC942A0376AD76CD1C69FCBB1176CE37AB3A2B2E3109868A1FC26E9D657F3A526571DE5B3CB60B69
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk..............................................:)......................................................................_..............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...........................&...........................................................................................**..(...........(....P........?K.P&.......?K.P.~r^c0.p.CA........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:MS Windows Vista Event Log, 6 chunks (no. 5 in use), next record no. 723, DIRTY
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):109096
                                                                                                                                                                                      Entropy (8bit):4.318853451536255
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:jrhkyHQOLt5jR7zpkYQ9oOhkyHQOLt5jR7zpkYQ9o9M/TG6OtiY:/i4t9R7dbQSOi4t9R7dbQSW/TG6+
                                                                                                                                                                                      MD5:E6DB6C819ED577AF66F5BBBCC37E23E6
                                                                                                                                                                                      SHA1:3E8BE6330D09576065E2B65E7F0407B87C9028DA
                                                                                                                                                                                      SHA-256:AA4EE6F365A1D3E61EE4C0ED605923B8F4A16705C46705DE2DBD3F76481526E8
                                                                                                                                                                                      SHA-512:70108C21D9D01F4E54AAFF4A6ADD4A21B62BB058C98F39F390DF65BD0F0FE9C0B0C44EDB86934DDCDA97FDCFC4C185D9C0BDFC61260307FFF67CCF98D73540C9
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfFile.......................................................................................................................-9ElfChnk.u...............u...........................b.......................................................................!Bct................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................9...........................).......................**......u.........K.i........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):1.4713848269015941
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:phBNimLN3UN3pNINcN3uN36ZN3fcN3dN3xzN3lN3RN3sN3YN3zN3TN3JN3xN3kNm:pAaC30SyTx57f6u5Z3/y2FpwsoQ
                                                                                                                                                                                      MD5:CA183BCBB0F17DE9B5E1593B6AD1AC0C
                                                                                                                                                                                      SHA1:B3408B08508B561BE36E491F5F4B847B951CD88B
                                                                                                                                                                                      SHA-256:7747ADB3EE45A37B8299051D080523A9780222591B495D9471D7FEF9FE290B59
                                                                                                                                                                                      SHA-512:5C8E58D134CC8118FFF6434A131DD9B00057EDF17C0B9AF5C65F136AE624197031ABC169539E986C15069024506F4FA4E0C260BA1E93DDBF0A9CE2924DBE1FBA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk._.......y......._.......y............G..xI..9ai.....................................................................T...................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......_..........f,........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.325848123975547
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:bhKVQV7VdVdEV/jVAVjVKV+VsV6VxVpV5mVmVoVJVsVuVSVRVLViVfV3VFVd1Vth:bfytRq6
                                                                                                                                                                                      MD5:B6DD62417B4B5F30659CE2A94860EF18
                                                                                                                                                                                      SHA1:11DF7D12732DF04FC12F78507907802DBD65DA0E
                                                                                                                                                                                      SHA-256:2D284603DC1A013097228C672081986DA9424952A6EA900BB1D47B906303040C
                                                                                                                                                                                      SHA-512:AFFCA9ADE1CFC8A32A706D117202E0B514F0D9BD0452578F1252FC5EF56D24391AC6841350A041F6ED6711350ABDDAA6182700A539AEA11FDAD2011D0A45F87F
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.|(.......(......|(.......(..........hj..0l...Th.....................................................................b-Q................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&............................................&...............................#......**......|(........<Q.9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):110288
                                                                                                                                                                                      Entropy (8bit):4.387304923811998
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:JO1fni2TDyiWAZfBzB6BbB2e7mBt23KDi/OyazwNJCmikDeC1fni2TDyiWAZfBzo:0fjDyvTfjDyB
                                                                                                                                                                                      MD5:E52E096E4232691821C2A221E745B087
                                                                                                                                                                                      SHA1:9C8C64CD602AE2677E5ED0513AC827CCC15BE39B
                                                                                                                                                                                      SHA-256:4FE20BF8DC601C7080E8147BB192943144F906D30CD896C93F59C90BE8D71725
                                                                                                                                                                                      SHA-512:38216D5DBEBEC5AFCC75C714519CE18B75CD738A563025F7FB7F4B51967C47BF1EEA16D6E37E402E289A61A9D17C42C037A0CB2464597D40E8795A6021EEFEEB
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk..'.......'.......'.......(...................@k.....................................................................~...................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................3W..#>.......................N..&........................................8...;.......@......;5...........`..........**.......'........~........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.339182655765318
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:mhm+iMNEi1itiXiYiAiQiCiYiXiviCiriMiKiYili+iciSiVciji/DiQisiKi7id:m8
                                                                                                                                                                                      MD5:100E98F9B5D04A844F72BD65B9E849B5
                                                                                                                                                                                      SHA1:6BB9AA2B91B5069121F0062DA1A5401F0DE2AFA6
                                                                                                                                                                                      SHA-256:7EBEC9E5E65622F61B51BCF25BBD9A4FD7CEFD791DED3096FD692DDAF8BBE267
                                                                                                                                                                                      SHA-512:BE5ABB3EC1261D83B2B6CF3463A83A4DCBCB146E6B4DA6083BFD0E51CF53C1DE1AF7157D542BECC48176161EF8C7AC7F3D4DA929083402EF358DB94B8265AA37
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........3...............3........... z..h|..!q......................................................................_...............................................=...........................................................................................................................f...............?...................................b...........M...F...........................................................&.......................................................................................**..X..............w............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.450365518479021
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:RhI3c6dh3O3Km30v3635B33H353X3g3J3N33Lv3j3j3A3730j3ue3H3T39z3IM3E:RkqL+Tl5qhdWFgwc4MElvawvMLww
                                                                                                                                                                                      MD5:0C4699AD5A4A5B9AE9C2C16535686C87
                                                                                                                                                                                      SHA1:14CB8AD320B3A117C4E1A5F81B49701C251BB89D
                                                                                                                                                                                      SHA-256:3DF40B85E70DFF523DA493ED45CF0AE80EE006884428B4E33A71C23880D22C9B
                                                                                                                                                                                      SHA-512:5540D721C786F8EEC8BE2ECF083704E001C37F392D2A634E0C33EF7D061CFFE2002B2D43510C8E96325634ACEBB13BB6FB5716866C3C47038FB81302264D88DC
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........^...............^...........`.......H4........................................................................\.............................................=...............u...........................................................................................................H...............?...............................................M...F...........................................&................9......................................................................j...............**.................*T.........B...&.......B...._.X.$.]...+........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.226562004822823
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:yPcpk0+db1RzsZrczv9ezTjlRLD1xzzmfgO5WJ:g4PTjX
                                                                                                                                                                                      MD5:A094B2E2C05C1F9508B4104F1A1ED7FE
                                                                                                                                                                                      SHA1:17052856CA6EC618493BABE3BF140B689D4E5462
                                                                                                                                                                                      SHA-256:841910BA62DDF53F3A9E3079F029FD6EE1D52E514D6D8DB511F29ED8601525F8
                                                                                                                                                                                      SHA-512:075CC183899F3D33C56952E0C2BD48706DBAA5FB1BA78256DC5345CB538EA5AA3FFD1B4FFAA68D1DC6952106689C61CF125453364F646670AC6A94CEBC1D08FF
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk......................................&...(..q.......................................................................m.........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**...............q..f........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:MS Windows Vista Event Log, 5 chunks (no. 4 in use), next record no. 377, DIRTY
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):87472
                                                                                                                                                                                      Entropy (8bit):2.541170870718549
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:ZEhTG6GxAGbGWCZGRGIGmFGVGJGIG6GzGoJGjY6rGOU6UGrGBGZGJG8GLGw1GIGT:WaOjmmDdRmraOjmmDdRm
                                                                                                                                                                                      MD5:8D3881B2BCD8C11E1EDE87687B5CB19F
                                                                                                                                                                                      SHA1:7132E4FB186BAEF2660FD57D0C94F2F0EBF084E2
                                                                                                                                                                                      SHA-256:BF3A09B9C310779EACEDF2EAA63B749D106E83E20DECEB392D9A5787D7FCB19F
                                                                                                                                                                                      SHA-512:56922066638C18511D8C1C54C230A38CEC6736B64354B832A2FDD5CF45C1D3F24CFDEB16D32F10A096AED1E8BEF76107F45048B7EE42EEA761B55A402A26A72E
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfFile.................y.......................................................................................................ElfChnk.b...............b....................R..0U...'.g....................................................................p..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................m...................e#..5...................**..X...b.........-........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.95339553311844
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:El/LLKiILbXvvvD7rrXuXtPPrzbvjPH7bf3:fiZX
                                                                                                                                                                                      MD5:F544830E3B15E7EA3DB9DB8AAA2708A4
                                                                                                                                                                                      SHA1:83B25CA880F6D61B5DC59F98F4D705C9ED6CFF14
                                                                                                                                                                                      SHA-256:C9CFBA8536AFDD8B91A9DA59F99B1A6FCD11B68F07A698D685C38EC645DA53EB
                                                                                                                                                                                      SHA-512:2F82B16C8EFE16C4DF1C037DB3F9DE40E168E99076F1F8A4C6DF3F345F835CCC63BDB2C38DB24E0B57BC58CD2031CB05878CB5A5217709C95C92EF2C8A40544A
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........................................p....q........................................................................^Y................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.................g,........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):67560
                                                                                                                                                                                      Entropy (8bit):2.499035628005146
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:uoOKxWoJhuoS9VoryorOoroortorVorVorNorrmo4oruorlIoreorNorworgorDW:bsWqGO
                                                                                                                                                                                      MD5:425684650350AA3EDA35382E337AF09C
                                                                                                                                                                                      SHA1:762F9766FEABB240D2BF0A163C42500BFAA574B1
                                                                                                                                                                                      SHA-256:8E972458C1CE5E10989303C66D6F2294BD2BC3EA4AB7BE56DDDE54B9CE0C28D2
                                                                                                                                                                                      SHA-512:D32033632A73F7D268EC70E93A9722F9B8339FC335B0FC2376C933FA95061E6ECF84C4386E6E4B1EB48929A3CBFF3741456306E3495D0A59F3566BB53D8B1297
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........M...............M............}........IX....................................................................I5..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................E{..............................**......L............P......../X.P................................................................>.......V...X.!..e...................P...].x.P..6_.x.P..........L....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.E{......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.2040621975978048
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:/hNPmP1PKPvPZl5P8P7PAPt/PU+PKP1PEPNPaPQPiPqPFDPhP6PwPXPaPZ8PWPCs:/DlvUGLpF
                                                                                                                                                                                      MD5:9DEFB0AD8853026D4977D1A5EFB8E76B
                                                                                                                                                                                      SHA1:B98A9DD17FDA24BDF4D736A7BFBCE120E8F4526A
                                                                                                                                                                                      SHA-256:693E196D75FAE9E2CD130E8FD43B151F5957A035246785196FA80FCE6D976ECD
                                                                                                                                                                                      SHA-512:25397F5A1E031EFA2EB126C99ACCC5CBD937CA9DA2565187888E08E0A51D0627A2C2FA19AAB7314A3C204251971FBCB78F7341DBF1A9D9682E83929AF7EB0CB6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........G...............G........... t...u.....".....................................................................R..................N...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...................................................................................................'.......................**..x...........B...S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.1774280183493913
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:oDbHtuYYZAqRidVY4HdYWgML/chv4PzSw05Wt19M6vz73mA4+9AxNAVBBBxZvaVE:/27
                                                                                                                                                                                      MD5:3D63E32F64E85C057373298E3A72BE87
                                                                                                                                                                                      SHA1:FD212B4E712A3D3F5E5E51165685F7FC36EB8899
                                                                                                                                                                                      SHA-256:E17722A77EA64FDB179E6347098C182F5EF201B1E69D17BC82FCF9E8F544A075
                                                                                                                                                                                      SHA-512:814078120CE93FD6CBAB02FF4114E60F6C184E4F7413FE706AD27EA0415FFA1CFF87C0D9AD7CF6E029FECB354746F5BE06C9A4510389EAADC44B0B149285BF66
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........G...............G............q..ps...w.......................................................................|..................F...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..p...........!|..S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.72526623464096
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:3hch15hHh0hUh4hlhhhFhhNhPhLh1hthlh6hah+hFh1hVhEhUhMhFhJhKhthPFhd:3yyw
                                                                                                                                                                                      MD5:63D6C463613548BA1A395012AA634D0A
                                                                                                                                                                                      SHA1:39629723EF2A9359C2A95771D2F7A79D695E87D1
                                                                                                                                                                                      SHA-256:4860E4DC8838A3915083E99DEE5FABA082D178A7C156053BDBED2FD1E3E1C0D7
                                                                                                                                                                                      SHA-512:9B83F4EA5F85E5491E5F176E8D224828522F912F598CD4EDF13BEF4601DCC66D74B553D8E46F588E9C4A46C631D286DC0E93F18D5844E8241AB5D159CC5B232A
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................h...X...D=.L.......................................................................................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................!i..........&...................................................................................**..X........................./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):0.7994264651186869
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:A5h7YJVYV4YcYIjYkYVpYsqYVyYV3YVfYVRYVzY:kfvzDWeM
                                                                                                                                                                                      MD5:6C9EFEBBE70CF70D12E467D623FCEE1C
                                                                                                                                                                                      SHA1:B380A3E698DD9640799C579B1720A63754DF812D
                                                                                                                                                                                      SHA-256:F39FD3F6D00D8A8CE6699593B9052AECB3E4B37B6AC2798F84D73B69FC0008B8
                                                                                                                                                                                      SHA-512:AE695D9DC31E76AE8566BD5FF7CB245AB746274D0D9C228336F6EB30F33558C4E026713FD44FB208A73246BFA3F82AD063613CCBD2BEF61C57B4AD3AB694428A
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.z...............z...................@!.. #..&.|k........................................................................................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...z.........i._........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.69958357804125
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:ehDCq2cCp1Cz2TCLqCM2CZCjiCsCblCnC/iCsCe5CECOwCFCkUCXCUoCjCtorCrp:eUEJ2R
                                                                                                                                                                                      MD5:1265311FDFF41737411B43C179ABB15D
                                                                                                                                                                                      SHA1:0CA731889A52B262D152DED8A8144B1F0C21FB2A
                                                                                                                                                                                      SHA-256:829999694364CFF7C66428A2F0FD394C482A4CB8AF049DE1EAB791AF428332CF
                                                                                                                                                                                      SHA-512:44AC5C7543B2D848133A28ED8D32A2020D654C93C1DF5C2CC860FEACF98C2565ADD5802426BA5A0407B5B23883132EB90935BFD91D9D504D7C22D30F7A5012F3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.m...............m..........................6......................................................................../.............................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.. ...m.........*13........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.950902778159053
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:Oey39iM13dtfbSqyYcQGXrlhmQHZHm43/0YOb5Dmy/OAwuM2eWE:CSE
                                                                                                                                                                                      MD5:3D7C0CB2B88FCE7822A802248122D608
                                                                                                                                                                                      SHA1:452595DA9F1FEEC09C3456D7BC83FE7D62F90148
                                                                                                                                                                                      SHA-256:E8E8C7998ABC0C2F5AB589620C1D3F58248DC6349AEF472B8CF80E66F054D5CA
                                                                                                                                                                                      SHA-512:577EA9C34E457F8733F02F1B6A805719709DC8A7A9FA3624EBC3188589EBBA7586DCA88063FBE965DFC2FB75BAF877EB5A2F29645AAAC61C65E3E7E5C0A1F2B3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........B...............B...........h...x....a.'....................................................................V.s9................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..x...........&............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.446206722140754
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:zhaEdEqXAEJVvOEJSvEqEBEENEuDEaExEOEAE7EmEizEJ6ExEZEX/+EaEF5EOcE+:zVXmIBqr97fAIHCtspptpO
                                                                                                                                                                                      MD5:BABB3D638C1888C6DDADBF82D8365828
                                                                                                                                                                                      SHA1:8F080DE49838B57F8F24ED8624DA46DDE34C9F7B
                                                                                                                                                                                      SHA-256:D52A716680AFCAEA796ACDC66AE2C56826A7ABAD0167975359203492ABEDE651
                                                                                                                                                                                      SHA-512:0E5D1750ABBEBAC088EC6E86C896CA6FFD8ED9C694446FF03CB795340295CFF5D3E0463D00261EA0FDC106E0C94D2BE7FB49F762B4A3CA640D4FA2FD90DF9DE2
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................P........HQ.........................................................................................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F....................#...............!...9..=................O...=...........A...?.......;..ME..........}....................'..........5...........**...............2...9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.4042162947236116
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:WhPFKlcLBKalKuDGK1GKgkKClKvQKqlKlaKu7dKrXK7CK53HKstKoIK8eKugGKIW:Wz8
                                                                                                                                                                                      MD5:B66406B4B89E430154BD56CED7799027
                                                                                                                                                                                      SHA1:0686F33520ADD4DFA71CA425BA1C045B950F8A83
                                                                                                                                                                                      SHA-256:F1F4904A5E20A9876CDFE0454AC291DD8A58A1FED39F966AFEE45B18B31253EA
                                                                                                                                                                                      SHA-512:4EEEA884822A0054BBA310B89E4367A5229618A51C4FB92BB151C39336B9235DE8E10812252DA52AF28C752DA819B98C5AC3BBFAC2602FC2231044A19D6C86E3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.=...............=....................x..0z....C<........................................................................................H.......................,...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...........................................................!.......................**..x...=.......m............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.100592094208881
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:ch+DEfbDisDTDqDPD1DPDXDuDTDGD8DMDRDcDvDhDlDEJDpDmXDyDsD6DwDKDOD0:crqyaBHYPi
                                                                                                                                                                                      MD5:68A6CCE6E819A0A5E69B49F89969D8C0
                                                                                                                                                                                      SHA1:B6AB27A41C1C97D7EBA1190166FAB143A866B100
                                                                                                                                                                                      SHA-256:1DC15EC538BA0F99AE16F8B6414CAD29499528FE9B9EB107DA5D1EDF442A8D12
                                                                                                                                                                                      SHA-512:F68558340455EF99A1139CADBE3B0A8676CAD62585622E1DBAC365D6B3A845CCECDBA4D0BDCB078A04FC39597F5EEF47B0766D487E24DFBE19687D67135F44C3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........<...............<...........8................................................................................y.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............F_G.4........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.192518938427678
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:thdzpzAzKzyzIzazrzRztzPzxaz9OzJznzfzXz4zdz/znzYx3z9zrzmzYzwzYzXC:tK8WxvZx
                                                                                                                                                                                      MD5:65BE0BE376BD5C9B6A6267F498750E2E
                                                                                                                                                                                      SHA1:CA716F4EC0214737A928369BD6FFF145D72B4D59
                                                                                                                                                                                      SHA-256:FD59D16FD57D894C47CF0570BC3AB1CFC51572DEADBD4E94527702140978E3CD
                                                                                                                                                                                      SHA-512:F0A8DD7CFB4F8E0FF1B1D3ACB97985325D6E5E846C608491A314B0334AA642ACAC64B2BB99017A753CE7F7101B10EC0D52876159FF23E1141ADAFB0D353E12B3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................@...0...<4.9........................................................................................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............,o.{........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):1.7394023424378904
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:hhXIVHILIi9jIcI9I4ImIjIsI7IuI7I7I26gVJ6CI3VJ6vILINIhIkI8IDITI0In:hQ28i5i
                                                                                                                                                                                      MD5:CE0C193EA0E4E7AF4BEA90D7830E18E4
                                                                                                                                                                                      SHA1:2F66C7F0872D516D795A40BA504E7D8D49C77578
                                                                                                                                                                                      SHA-256:83B022C60B3099CB688F40B74A927DECA2380E7CC1C5C1DDBB1F37B8342085A7
                                                                                                                                                                                      SHA-512:24D502B95C74AB175FC165661FAB44523BCFD70A82E66AAF69271AB19219AAECD713AE6BD30931167D10163B1315A7507F4800B0FB88B86F1BD46F1B787C6A50
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................................................................................................OFWi................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F............................................................h......................................................................................**...9..............9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:modified
                                                                                                                                                                                      Size (bytes):83760
                                                                                                                                                                                      Entropy (8bit):5.532152347508206
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:7hda5eH2KpzyzIzva5ozuzNz0zxzuewKWMKLa5a/SYa5nUa53a5ma5sa5Ba5Na5G:78/LgPRZnm8/Zt
                                                                                                                                                                                      MD5:7D207E1391B27C69ED0DF95D085F3CD7
                                                                                                                                                                                      SHA1:BF2421CF81FFCCCAF750EBCF3CFCA0455D8D04F5
                                                                                                                                                                                      SHA-256:98744BC113E8C085357A70B2CA3B5DD4239D6F9A584413E4E84531F3C05F8B8B
                                                                                                                                                                                      SHA-512:04590832738E2DC1A81CBFEEF4D4F69C5749139963D526B395DC5198B4FE59EB8AAE0D4C69F3BD7E871F368CBB8FDF647C012C66B88177B64C6097741689E212
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................PC...D...4......................................................................)................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...................................a-..........................&........................)...............................................%..........**..............t..P......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.1072197538628687
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:Jh0QMqHM3EbMYFMOuM0cMn71MuMMxsM98M0n4MBHMovMmXMqQMrdMlOMZzMWHMBU:JZWa
                                                                                                                                                                                      MD5:BB4330E50B49AF1B554F9A69833DEAF5
                                                                                                                                                                                      SHA1:49CAA2C4DA9B01332EE9B025B9A569159913C43F
                                                                                                                                                                                      SHA-256:E6881C56B84D214A4B1FCC932767245B567E48E4A3EDF9CA9BB9D141D1F4C429
                                                                                                                                                                                      SHA-512:6C744477F3C72EB653C119277DD21C8C3C0CAC1FD2B16AED09E85D6D990396F2D6F1A89EC3452BD2A0FB445F0288DD3E55DDEA608E309538ECA57382BCEEC228
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........@...............@............l..Pn..d..&.....................................................................&..........................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............)..S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.2830525694463857
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:Fjhb1Sh151f21Q1c161J1fA1eE1cj1/q1f+1Cz1410C1F1f81H111f210111X1fO:56vPCDe2v/bgrJlrxbz3t3fAQmz2
                                                                                                                                                                                      MD5:1E501AE722BF5263AB9F997E161E6A78
                                                                                                                                                                                      SHA1:F8825E977F6492EDEFEFB2362F114AC2E54B5672
                                                                                                                                                                                      SHA-256:501BE3B55B4803732880A640C64E29D7DF8869C42387B9BB11DF3C6DF80F8467
                                                                                                                                                                                      SHA-512:8B84AF31FCE64D39E3CFB76E764B48446ACE53238257978550436974D486E8D3259FF8F3AA77A35631875F76B315CD55DB78DEA45006379D0570D8A305EE3CD3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.0...............0...................`.......D.n2....................................................................;.Xa................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................1.......................................................**......0...........]........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.322826986185799
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:bhnIFwI1IcIIIEI1InI0IXInICIWIzIOILIqIhIXIJIrIPIMIiIMI/InIFIxImIb:buxxVGRr
                                                                                                                                                                                      MD5:FEAF2BAB9FD9B7D82C51A77EE5F4E6F8
                                                                                                                                                                                      SHA1:15B3C122F340BAC7BBCDFE5BC78F04D6FFE24BCF
                                                                                                                                                                                      SHA-256:75F8E607850F657095E754E4FC760058750A188A077C221FF31EB28656734175
                                                                                                                                                                                      SHA-512:A1FA5472C59F317DCBCEB898B31CDB46E073553A2250AB18336348944A1AB2C6BE972AF355080D6ED9A8A6C60953772EDFDA9E3EDAFB19901F29739730421850
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk..................................... .......Z".[....................................................................0{.N........................................0...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...........r.........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.154158524153489
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:shqILI6I6IUI+I4IZIhISCI3hUICIOIDIMIfINIEdImIDIXIjlII+I/IAIiIkItv:sHZhxKkDBhT
                                                                                                                                                                                      MD5:4C6C1B01E64C5786C08CD0B75B16EF62
                                                                                                                                                                                      SHA1:F026704F7BE48A405DFEDA24A243DA2063F31472
                                                                                                                                                                                      SHA-256:235FF9720CED6C26641081DC0E8B3119D3EB42EC825701809833FE9B08187122
                                                                                                                                                                                      SHA-512:FAE096DE8E77A2607024FD6E5B8041184A9CC28AEBC7E42EBAA1CF36D52F368792E4013602114C60E8618463C04D4324E0B43F5D5FD8C2C9BE183412789B4D09
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........Q...............Q............o...q...6.\....................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..................S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.900075796576728
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:M41WS5OAT1rPgAT0nH15T0nB15T0nQ15T0nW15T0nr15T0nB15T0nh15T0nb15TT:KScA
                                                                                                                                                                                      MD5:68059FCAD0901E45EAF7EC506FDB2E7C
                                                                                                                                                                                      SHA1:BEBA2509C1EFF8F3EF0B44DBF023886DC47604D3
                                                                                                                                                                                      SHA-256:5B570A94510A7F5544784AFFDA73DF54FB95296AD7CF530E46C20050C0E75089
                                                                                                                                                                                      SHA-512:362F76A3D526B8887969EA38B46B6683C0419C55D1DD7018E76EE91774E28F72A157372B37227D63202CB0B6DE0C8FA59CB75368B325B9231363ADC3747CC833
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.Y.......[.......Y.......[............'.../...Mv......................................................................v.........................................B...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..8...Y........n_I.9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):5.039443758143454
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:2RYeYPqUPGGCq7s8zlDzYjYSFjMuwD0diqjId:tCrFjMBwdxjId
                                                                                                                                                                                      MD5:C929245B9B5C740878D3EB2FBAF28B36
                                                                                                                                                                                      SHA1:D4A4171457B92C10DFBDCAA40B8A36D78D40D290
                                                                                                                                                                                      SHA-256:04A4ED249A849C8F888044803D59BBE2E081C68AE5B1A57FA9C41488E61FD780
                                                                                                                                                                                      SHA-512:3B7F4A30E97925D4A6D5D1FE08ED53E2F01F9758A82251AAC2DFA3AE04985FCD2420F0CAC1E09FC5B5CD81422E4A76E22FA39D3E698E77614E9A18A796988259
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk..*.......*.......*.......*...........I...K....a.........................................................................................^...........................=...........................................................................................................................f...............?...........................m...................M...F............................................9..................&...................................................7............<..................**..x....*......cK3..P......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:DIY-Thermocam raw data (Lepton 2.x), scale 4-8, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 10384593717069655257060992658440192.000000
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.0537018003289567
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:+ho8N8M8p8d8I8K8t8v681o8t8K8aI848s8D828P8N8285818n8U858w8v8yt8+P:+j31lT
                                                                                                                                                                                      MD5:85B74AA9829FFDC9F4F874A42CB89FE8
                                                                                                                                                                                      SHA1:8E19D84498192E654DA373D3EDE5117E2BF63CCF
                                                                                                                                                                                      SHA-256:56F4E78714395517C6E78F96FE8E34FAB215F9C0371294FBC2E87DE906FE3590
                                                                                                                                                                                      SHA-512:BEA408520A3E48FC3B10273065F1406A2BFC2365C5E4547602B6180BCDD7BC871BE6A841F027E83EBBD7DD269B5E49FE78583031096BA62C798221F7266CE6B3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........@...............@...........8f...g..&.;2.....................................................................v.z........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..(...........e...S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.2225041072498755
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:1huvnvmvJvBvdvrvwvSvovl+v4v6vvvmvcMvOyv4vCvAvTvGvP+v5vRvH8vUv5vy:1NzTEejRRT92
                                                                                                                                                                                      MD5:8D8E549E97B7C35F2D9408D7365E3CDE
                                                                                                                                                                                      SHA1:E6DD0C8A19885A1918D09635BA8B7734FFE28BF1
                                                                                                                                                                                      SHA-256:CEBDB068113A84743846843F999DA003686BB20FE8E907E93119DF63020F8F1A
                                                                                                                                                                                      SHA-512:476C0A8D191DF3B70B9A8680727BC771AED3284662BA9C0F5C20DE95EB7B67ECD24381DD21F5B6059347A9EAD0BBC7556C38CCF73E7CE1FE9529A1BC62DED21F
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........................................P.....u......................................................................+..................v...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................f ..........................................................O.......................**..............l..-T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.0921608996042784
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:DS/Bp+UdTU8UqOUyGUwaUpcuUvKUruU6DUZ5UtaUKOUpSUv2UwLiUIeU7bUhCUrS:O7rw
                                                                                                                                                                                      MD5:69B8632F6D9B8D99DF946C8DF0BC62F6
                                                                                                                                                                                      SHA1:463B495DB30651744B4968DB88973B34798BBB9E
                                                                                                                                                                                      SHA-256:FB3D077B3F5AB32C47A4BB37B58FED6D3C09F126B3FDAB63643334DFE574A2CB
                                                                                                                                                                                      SHA-512:439F147F5A3840E4B87E763A1C4F826567F3C905D5C600C14F8D075FD6E6B391C2720CA61CB56B1AF118899959BBC95F2F3654889F2BF0C8752EEEFA95607559
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................8...h....".s......................................................................,.................C...........................=...................................}.......................<...............................................................f...............?...............................................M...F...........................................................&.......................................................................................**..h.............h............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 27, DIRTY
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                      Entropy (8bit):4.1708709294536055
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:q3MEYS9jvhCeqi4hqQ4D/OX+/14e/8NqyYCIl8QVQzo:eMEYwwYzl1VYo
                                                                                                                                                                                      MD5:BC9530749A9D37C0D19D7BDACC5EB309
                                                                                                                                                                                      SHA1:87D2E193A08B09E3AC11E1DEF2EC601F6F379361
                                                                                                                                                                                      SHA-256:51C9FECAD3A0E66993BF289551CA6324E2534576E05F94BD6AB56915B4965CBF
                                                                                                                                                                                      SHA-512:B8FB48BF1D262B647E4462B0624DEE80C262D7DEF7C418CF1147E442B4AED7126B2226070A1D64375E2ED9FFC5CD65FEC0315650B3590E89401CBEB490761DED
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfFile.....................................................................................................................|.~2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.307783790610159
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:mhd2h2x2z2W2q2Ez2S2h2HC1C+CACA2q282vo2Q2f2j2S42N262W2NCFCJCZICv+:mGCHBBivQsPc6isrzhF
                                                                                                                                                                                      MD5:6FDFD6F774CD00D9447432C9F859D06B
                                                                                                                                                                                      SHA1:E8CD0F68C882DD00D7C2EE28387D0CD0D7556805
                                                                                                                                                                                      SHA-256:34D09159EAE107D6B8703FA83E0C7CB5AAB5E5D87A0BBE96EF14625962518FAE
                                                                                                                                                                                      SHA-512:CF02C6271A6C4AA5942EA58FA10B370CF934D2ADCA877442815674FEC2E5E3800FDEF4B588043295E84A8F5A6DEDE4BF3D77A35F076BA030A49ACB14E9FB07B5
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.<.......s.......P...................h...p...........................................................................ar..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................!b..................................&............................................................;......................**.. ...P........v...9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.416589484681612
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:ZtJTcmXTfu/hD9ouzDZx+DWQeD8yiM4C0BYEeKee6lFY99PXg95RA2IektFNEfJ7:zJTcmXTfu/hD9ouzDZx+DWQeD8yiM4C9
                                                                                                                                                                                      MD5:F60A2688B5F8E2BBA295C58A09D8A8B7
                                                                                                                                                                                      SHA1:E4C801A750EEEA6CC55CD35CF4837FAF6191F6C7
                                                                                                                                                                                      SHA-256:96A6CA6D9C6DB8F5075C0B53B2A13AF6BC169990C048260B51DA35E7015C9A45
                                                                                                                                                                                      SHA-512:9104740975FDEF15E0E8F4E746D0A7F044C3E9539A8917A8124370A9875AC928F18D9A4B9308A26AFC1111D1BDF4C106A99A8279083CE6B8EF41348F37388AE6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.~...............~.......................x...........................................................................vX..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......~.......=............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.4880074945138455
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:dc29B63meXmKRPNF7n6xc5c8oionHnnbw+KifVk6T5bmkqkTx9/jBgu9RWQqUHXy:dc29B63meXmKRPNF7n6xc5c8oionHnbm
                                                                                                                                                                                      MD5:04EC6AD14AFEF2A2BF5F4FDCE5F1C90D
                                                                                                                                                                                      SHA1:7AC506E93C808FA8DF1D29FEB8A4C12940ED068F
                                                                                                                                                                                      SHA-256:092AF5804C2A7B0D67B5BDA4B89509C2DA5931F67F713244135F83EC1378233F
                                                                                                                                                                                      SHA-512:91780B7A6CD5372B70926D79364F5FA6F1723518C9933848922DCA62CCD93BA50A1059AEC7A1DC11487AEDC765B3998DBC617A1178CCE9ABFD55BEF72C5422DA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.0&.......&......0&.......&..................*./.........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F......................................................................................................................a~...y......................**......0&........F..P......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):1.954158115078415
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:5hq7v7l7UZ7r7B7c7li7x/7Z7Z747A7rK7Rx7fy7P7C7I7F7W7DX7z7C7B7Z7f73:5Gzb
                                                                                                                                                                                      MD5:634A50ED8D0885BB2749BA95E0EC7176
                                                                                                                                                                                      SHA1:3E93DAB2CAB00A12F8CC4E8F9BB84C0D4D12463A
                                                                                                                                                                                      SHA-256:57F8FDD626A4600E0857241E46E776BDF91B754BD41D7AB9E0C52B58435709EB
                                                                                                                                                                                      SHA-512:D2DD5B0FABE3211640B67A800960D6E7059F5268F1970DCD8517ACDA91B904C49B4E039682BBA1BDD38E16189053D8E012E42BA14E028C692667FF0249AEF953
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........2...............4............\...^..K..'.......................................................................>........................................0...=...........................................................................................................................f...............?...........................m...................M...F...........................................m!..................&...........................................................e.......................**............................/X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.258532468329071
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:8hwuTDFbuJuuDu/uVuuvu7uu6uOuU/ueuu/uFuuVuauUmuPuuAutuu2kuzjuUauT:8HawuFBoRW3L463zLKxWlmu16S
                                                                                                                                                                                      MD5:D83AC9BCBAC9E0063DE7AAE42420730D
                                                                                                                                                                                      SHA1:2CCF4F5785DF3C87F5A39F0B4A870997EAAC8C1C
                                                                                                                                                                                      SHA-256:CCACB4A732DBBB7D6E197FBC9B37B30C144B0EFFADBEF761CFE2BA286746BD27
                                                                                                                                                                                      SHA-512:27C4C60D423081AB56EAF77CE711E242ED3A9AD25E4610FDA7AED8DC0A200D10181F77C2ADC1667BEAACC2CCA30243744C8003576EECB85D1CC1F7776BB1D2D4
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.6...............=...................8.........Q........................................................................)........................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................o...............................**......=........*............/X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.3449584871507656
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:Yheu/uSuWugu5uGuFu5ut1u7su+uPudu3uxuIuTuxufvuIUubuMuBuquZu/uKu9s:YP6ZDGl
                                                                                                                                                                                      MD5:C1B7E9AD687F7F2312AEF54C48170FB3
                                                                                                                                                                                      SHA1:3A220F040596367ADB9384ADD6FFDBEB4E7C6668
                                                                                                                                                                                      SHA-256:35AF91615668D005ACD68FA93D0AD4A5A3E4B3B4DEEB3A1BBF60A5214CE716B2
                                                                                                                                                                                      SHA-512:F9C3C7FE17E71FFE4D17304F42616BEAF652895177C7B4B82EBE030697DB56A4D0889062917131D7417B50BA7A2E60BF0D8F3109A830857DE6E59A2E73778381
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........H...............H............z.. |..........................................................................P..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............%,H(T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.291983847890207
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:nahPAodANA9APA7SjAkxArIvjA2UlA/A3AnA7ATAnALAlAfMAYQAgiA/ABAxAsAm:na9SNmIvvfek9kOr
                                                                                                                                                                                      MD5:9848934080A1C4F5FE66AAB3A139FFE0
                                                                                                                                                                                      SHA1:36F5178355526902643746E33F104DB94B27CF9F
                                                                                                                                                                                      SHA-256:5F5ED50572A900F61120BC6B2B2B83B700EA9BA02F50A71B2954CFF7E064F02E
                                                                                                                                                                                      SHA-512:5260524EA5416D9863529D14DCC21479EDCD18E819BFAC272EEF4C945246039FC53596FD0625F48AA49EA8EDDADAB16331621D517D0B4EF6E83C2AF4BC770583
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........r...............r...........8.........},.......................................................................q................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...........................M........................%..........&...................................................................................**..............}y.._........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):2.4244743131868125
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:Rhk+pUYnpdo4pd+pdnpdwpdVpd+pdrpd4pdRpd/pdqpd9pdopdKpdXpd8pddpddV:RI
                                                                                                                                                                                      MD5:C07B4258D935462E3DA1B4AEA55F8C3C
                                                                                                                                                                                      SHA1:C6247B6A861406C71BD74D07AB2314CF21EC7DCA
                                                                                                                                                                                      SHA-256:351D3CE149D108801C2A080D7CCD71E1A30ADBC47D2F9A290261D9E1EB15480A
                                                                                                                                                                                      SHA-512:BF43FC57422DB73A40E1C8BE01F0A4D5261A2161D551536DF4FD6281539F00CCE7681E6DECB9FDD6C8E4682D82C134E6AA37BBABA9836B73ED828643F7F20234
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.&.......L.......&.......L............... ....d.......................................................................31.........................................:...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......&.......yN..^........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.121980224037596
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:EhmCpaKpmpL6pAsUpfwpAbdpABApAGQpTVp2LMpIJpAbWpW8pAWWpAJap8kpAE0i:E
                                                                                                                                                                                      MD5:1B0C23A55F0B44F1A6D0A83C5259177B
                                                                                                                                                                                      SHA1:50B01ACE198A2E3C13D3F53FB9B4D6EE21D0DA31
                                                                                                                                                                                      SHA-256:C11595085235804F2C26331FD8119AA3587880A275F91323938B221193A4CCE2
                                                                                                                                                                                      SHA-512:2537D0A79DE78646A61499669DD18553FB65EA41C9696AE375C9402321B8785EF107CC485F60D6B7F101DC5B1A28BBD80E5E5CC842866DD001B8C61FC29D72F4
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........R...............R...............X.....#.....................................................................:2~N........................................D...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................i'..E...............................................**..............a...f........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.23615107940855
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:yhoCKCQC8CUCLCYC7CFCuC2C+CxC1Cl0Ct4CCC2C7CLCtCeCeCiCmjC0zCpDCMCq:y+fNJCRxkjZHVUL
                                                                                                                                                                                      MD5:A6B7DA2305393577AD2B3A6833267044
                                                                                                                                                                                      SHA1:69E6E49B9D44543AC66D3E0B7E2FB9BDBC728DC9
                                                                                                                                                                                      SHA-256:7B71FE9F53654B4EB5101B4B9BF5F70E876574087391EECC9D5C13B9448A1A65
                                                                                                                                                                                      SHA-512:F293F83473C1EA5920EAA2326A1879055F5DDF81B02355400BE2A55A78B00F832E44CB233B178B268D66A541AD092096C0DC6EEA664333F2A35F7780EEF4B8BD
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........P...............P...................`.<.........................................................................................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F.......................&........................................%............................................................................../...**..@.............1.S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):77176
                                                                                                                                                                                      Entropy (8bit):4.678369573134011
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:i2isB9dIv2isB9dIxLbyNUmKoEVby4by7MIbyjg:tDB9dlDB9dSKUoEZRWJ
                                                                                                                                                                                      MD5:5F7073C7FB93788C6408CC5D4FABDF96
                                                                                                                                                                                      SHA1:BAB39CF942D74B9DB7C252406C1486EBBFFF4228
                                                                                                                                                                                      SHA-256:7C0A4DAF6736FD8CCDE8A93F79B6843A4F79A84023D45E4E3934C70CA374263B
                                                                                                                                                                                      SHA-512:AD975F7A458BC1EC2CBF407495EB402EDFF67EC4E1A9DC18925BBAE3BD431B762E0025B6021D30457F255F944EE99E47F755435961D6E16740CD72E943BFC0E1
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.M.......Z.......M.......Z...........@+..x-...W/........................................................................c........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..p...M............P......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 64, DIRTY
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                      Entropy (8bit):2.9749808415920413
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:gvgffnPNm/2sY3pLwIkJ2jLHbj9fr7w2imMFopTMFw3grHUP9q:ZGaY
                                                                                                                                                                                      MD5:1D2A31A57800A8E83D86BD02F1113BBB
                                                                                                                                                                                      SHA1:6483FA92980476F5AC399FE29BEA405A74ED2511
                                                                                                                                                                                      SHA-256:9CBA5D905A098A4B4E20A0099B1E56C64CCBB8E1A7040EDCBED8875B8FF35E00
                                                                                                                                                                                      SHA-512:15DC87D38DD5ACA45B25A801CD1BB4FCF0653DADD3E865225F53086AC360F74314EDC6F55290A2D02DA75BD83D7333A388AB92C4E51C22684C0431F24A86A8F7
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfFile.................@....................................................................................................d.B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.420102318681938
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:GCxKhR8XwKiYI/fNrhB+p+ivrrflG/blppx:JxKz8XwK+9BjivrrfqbP
                                                                                                                                                                                      MD5:CD3B313400174C1AABBDE857BFCF132A
                                                                                                                                                                                      SHA1:2B79B19348D34C27A8A519A76FB2132140D55CC4
                                                                                                                                                                                      SHA-256:DA9ED4DCDC0ED4C942A6BBAD21248095111EC8012F8F32B4C4F1F315B4FB445D
                                                                                                                                                                                      SHA-512:C65A7D78D4210848179C759DDA5F815D360B65FE0AA926C642E4399BA9FA92B9DA4A702BF64ADC80FA02DA3A3B7A1F16B449A4AC8F04224125D68F01653B10AF
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk......................................................................................................................dz................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............4E'..P......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.299560586686496
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:RKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTK+KfKvKYKqK4KGKkKhKjK9KyKeKhK1KKo:RKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTX
                                                                                                                                                                                      MD5:56547D62BE92CC5B225384E2C6C9F86B
                                                                                                                                                                                      SHA1:B8B4F54D5F852FB8F6381E3D82920763C1AB33B7
                                                                                                                                                                                      SHA-256:1D666547E58D50D24135B4EC5FB16DE0FE3EC29A4134A9CA5811BBC502688C29
                                                                                                                                                                                      SHA-512:61E662F8847BC73075BECDC6F74C5A3D771285D35EC55B9ED156AC285BD40E45D0760284EE1941E6D10AC771367DC46818DB7B6A77C4B08888140AC9B0FA96F6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................X}......y.X.....................................................................V...................,...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..H...........N..)........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.095594919130715
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:xh8i4i/yi6iDiDi5iwiliM1iNiUiXKbieifiGiOiOiIiIiBigi1iVinixiEiVciX:xp6xKoHKN
                                                                                                                                                                                      MD5:AECC75DB5F7AE7FC126E887E3687CC5A
                                                                                                                                                                                      SHA1:289F83D53947D249DD5E3946BBAA6F88941C89F9
                                                                                                                                                                                      SHA-256:D08468D0FE7B6AECE1A085FB67DBFCB2DCFE31E4A3440A39E4DBF36830DD7704
                                                                                                                                                                                      SHA-512:8DB571EC554D3F0348F8A80E679A7E841CA14A7DED7D2C70E77151CF08A504448F5D288C39B7A56B7BA62B9398B532F89FB441B138FC5013974ADC4E6C3E54A8
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.....................................hQ..pS.....l....................................................................A..-............................................=...........................................................................................................................f...............?...............9.......B.......................M...F...........................................................&...............................................................q.......................**..................f...........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.315486698523397
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:/xSaa8NlaranavazaZa5agCadadaZadacaRaZasasaUaUaMacaIaYaEakaAagakT:HN
                                                                                                                                                                                      MD5:D7CD145405B8221525BBE120EF41192E
                                                                                                                                                                                      SHA1:919A5D8E5373E2C4B58C5505FB3C72F05FCC6AD8
                                                                                                                                                                                      SHA-256:C2A3ACE783986D9219BBE4E8E6BE341B3CF2D7856999F160CE4DC4078472DD0F
                                                                                                                                                                                      SHA-512:14139DE7D1AD56C2584783D85EE6210BA483DEF477E8A62DB487FC5587C337A2A290CE61A9E082C4638A9B6470272D3190C26C57124A573E5AE444145DB0D332
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk./.......x.......E.......................P....'xY.......................................................................................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................................9...................................**..H...E.......3..Y.9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.9301128621401245
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:shNXDcXxzXZXeX/XOXMXauXLiXCXVX1XYXZXeX+XiXfXuXFXRX9XsX5XLXzXgXyX:syAgGHqOT
                                                                                                                                                                                      MD5:FB2812ED524836C3B02DF754ED40F5D6
                                                                                                                                                                                      SHA1:F6D29DE299C2112B63D1C923AB03C01D8A872E54
                                                                                                                                                                                      SHA-256:AB5D18CB620B260ED03ADBF0AEE4193B2A8D8B9C99486AA4E13D72464ECD7722
                                                                                                                                                                                      SHA-512:30BF3A607DD7E9308E6CF3BD1696419DCC52B85EEF81A15C3D4361FCFF8C4B74D5BA3E67DF7C91904B9A476CC4A73760EEFFEEB2D141198A391EB88B2F4AC006
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........J...............J...........8.......p..b......................................................................4.................j...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................C...............................................................**..............C..?T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.334389713554604
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:eh2LmImemomHmOmamCm2m2m3mnBmGqmFmJmFmKmrm2mOmsmSmmmVmghmRmBmBSXY:e/fqb
                                                                                                                                                                                      MD5:E6D1F661FB27BBD639359B69BE1DF5AF
                                                                                                                                                                                      SHA1:78954614434D27E7FD1711DF1D1BF539D1371056
                                                                                                                                                                                      SHA-256:03033EA13B68F682732D34E77CA9057DB6EC55BC0C3F28402F06CCEF5E968870
                                                                                                                                                                                      SHA-512:DF0339F62922166B6605921E83354E46AA91EF1E62BA79A78D509A8DE0891BB65F803E182957C3EFB51F4B05928D02E796646A5C55C8177C044AB2CF0AE0DF24
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........................................P..........................................................................N]o.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............3...................................................................**................y........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):1.9864061667701423
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:1h0h21c2kS27W2VP2en32x2U2x2V2d2N26A2q242R2V2Y2w25vb2C2k2o2g2s2IG:12C5
                                                                                                                                                                                      MD5:EFF848B0FF932783D97FA5E7F5A9D1C4
                                                                                                                                                                                      SHA1:4CEE16379A7FB9BEAE213423994ABD788CF64A86
                                                                                                                                                                                      SHA-256:38143020D620459EAF621E345FA137C4E4103FB389F6D83AB56E353FF99CEC92
                                                                                                                                                                                      SHA-512:C2641C04AF7016E0BBC4C1922CBE117EA97993D5CDE44750AD3DA76612B1575EFC45052B05AF7F0486704E37E469B55F5044F06C86EEB12DC96083B38DD38C3C
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk......................................]..._..+..2....................................................................V..x................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................%...............................&...................................................................................**................+.g........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):117448
                                                                                                                                                                                      Entropy (8bit):4.292761037658786
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:oVhpR+daRsRjRQRPRZX8R6R/aRXRsRqRbR2R7RoR/RlR9R/RlRlRaRMR0lbRLRzH:yLlK9SLlK96
                                                                                                                                                                                      MD5:5AF36205FC5418B967BB355E48C45A9C
                                                                                                                                                                                      SHA1:58FCAEAECD3226B34A36542A8C2358693529320E
                                                                                                                                                                                      SHA-256:FFF879E0BD84E947051AE2638359B0DDE4960D54F9E385FFFBCEA6363E8AA8C2
                                                                                                                                                                                      SHA-512:1CEB98E334EC8E292A7398A7856D19DF3CDDE2CF1C9D7AAB4E747DC4266B84EDB87E99796A7A26007585BC1CC5D1538D1DA3849C82B9B1C21041E6C26FBE10D9
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.Z...............Z................... ...p....C.m.....................................................................S\!....................2.......@..............=..........................................S.......................%...........................J...........................f...Z...........?......................................?.......M...F...a...........}...................................y.......&.....................................................................................**..X...Z........;..9..........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.386429245131992
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:nhCh7whqhvh4h/hMNhihhiVqhXhPh5Vh+hth0qhPdh4zshS3hi9uhiZhhpYhAThR:nkMfO1mmkH4
                                                                                                                                                                                      MD5:5A7CA883974353392D7EC714AF06AC6C
                                                                                                                                                                                      SHA1:DA2B47E04625BF3E01FD6F1A203F306A5BA4447C
                                                                                                                                                                                      SHA-256:53849908379D83B59E9F399220BF83E41975B3504E44BD1B2BD5E5840BBAB730
                                                                                                                                                                                      SHA-512:EE6920BA3D50046DB5A797F722D5608D1BD67203A6367A1765A29F6D8D9196E8A2E976D8895DD7780F39CC7BE7338FEC495AF8766078735455B452BD7149EBD3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........6...............6...........X.........$1...............................................................................................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................A...................&...................................................................9...............**..@...............,........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.5471131855647684
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:dh2VaVYVtVbVwVoVTVJVgVZVrVdVfVKVHVl/V+VnkVkgVOVEVRVtVsVCVFVhfV5U:dWIreU7U7enh
                                                                                                                                                                                      MD5:F3BA5BF0E9FBF44D137836D13E9E2B50
                                                                                                                                                                                      SHA1:7ED6C05319392A84F4F20A793E9756679057CECB
                                                                                                                                                                                      SHA-256:CC7ECEDB3B172CB3EA32F99EBA55C1EFC8C9035B832F0252CE0DF7897767D38A
                                                                                                                                                                                      SHA-512:EB3A6A7FF36CAFD1A372A7FDA4D1AB236649B98182784D6C1466DBCD6355CC6B72914E5994E69E3CE59ED892CFAE02B223DA21F82E06DEE05954032140EC3005
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.............................................&.rn....................................................................tc..................&...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..P...........F~..S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 257, DIRTY
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):98672
                                                                                                                                                                                      Entropy (8bit):3.073633679084
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:OZyLCYhPL96HbYYOu8+oeXSsOIxW+cJQ3iVbXWmTy7l+UohiEnyecah9ZyLCYhPz:BQ
                                                                                                                                                                                      MD5:F6704EB9657B5674D54AB7B10B4534BC
                                                                                                                                                                                      SHA1:552F58FD9E5279A861722BA121E363CD4EC7F000
                                                                                                                                                                                      SHA-256:9B8569347C45A4D04D82BD2619659F83D896D121B1C85E14BDB199D6E14AC8FA
                                                                                                                                                                                      SHA-512:B1DE2DF34E26DFB4CF6F51A38EC72D0E5E49DFB1FA8781209E7F96071DEDAB8A79785EB3DA289162B0D4489EAB28F6FB456C1302E77C50D2D4F6E72BF7B10A28
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfFile.....................................................................................................................;..ElfChnk.....................................x.......)..%..................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..H........................./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.286734834904667
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:rhuZBwBQ/lrBwB7/FBwBK8bV5BwB5dYBwBkBwBHBwB/BwBGBwBkBwBd5BwBJ+BwJ:r58bSi9
                                                                                                                                                                                      MD5:98F548964F5A937F375C0F135C6768EF
                                                                                                                                                                                      SHA1:1156429761FE709643150C0981A56318F4D8777B
                                                                                                                                                                                      SHA-256:EC4FB4C86909BD3856F7686B1C90112AC43220CF10F11B9E72618BF39019EB22
                                                                                                                                                                                      SHA-512:7C5645791522A8C07BDB1BCCCF4088BA9B2326C9A9AD84EF621B94F0CD1758BD724A14148C00E09379104C22B16F51382AAFA4A207028B113BE186FA1027F7BD
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk....................................................................................................................7.Ac............................................=...........................................................................................................................f...............?...........................m...................M...F...........................W...................................&................................*..................................................**..............6\. ^........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):4.398335127645134
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:0h1wUEFUEmUEMUEgUENUEqUEqUEWUEvUESUE4UE4UE3UEbUEpUEpUE9UEgUExUEm:0LxWRqXJQe
                                                                                                                                                                                      MD5:3F244396715C3475EA3D40FB54C33F43
                                                                                                                                                                                      SHA1:0D197B30CC75540721107B5DF81A84613F3ECD2C
                                                                                                                                                                                      SHA-256:B10E5F4D60E2BA78165A9326CF04ED334EC16D70BE94EC885CA8535FF2808D73
                                                                                                                                                                                      SHA-512:E3CEE2119AB5FFC685256C4DEA7E9BD6133A5D7FA7AB6A6CF0F1FD62204E53EFC76959CB6C7BAEC1DE9EB3705B7896A496D3EBF371136D44CDBE0EFC9A529A76
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........+...............+...........x}..............................................................................@E..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&....5.......................................................3......................**.............. 2^O.9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\OneApp_IGCC.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                      Entropy (8bit):3.4414645060383187
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:4w0+VsWZttC95UZhVhRoSxHJUBvv3R2ipdJ97odz6L7RPLfVXYgXcIycjd52T42p:43sfo/0++Qhxf27SVSVTuziNpBg12U
                                                                                                                                                                                      MD5:190F8C8A864CEEF3F2FA2038B6BBACBB
                                                                                                                                                                                      SHA1:FD61E53C2EACACD5CF889A4F3E39A80766D02442
                                                                                                                                                                                      SHA-256:4A75996EF4D4E9ABACA04FA63EF3B5F728BA234ECFD2A6144DBD04E6FFB521FB
                                                                                                                                                                                      SHA-512:5F21E2E016C05BC1724696DB3048D4827D414CA3CABB9CAD2099CE0C3D2EF85E46536F4E6131BED6FAE6B43819819FD1371D04740EB4E5255D724FC04998FD99
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk.........+...............+............Y...Z...AT^......................................................................'.............................................=...........................................................................................................................w...............P...........................~...................M...m...........................x...............................................................&.......................................................**..x............Bo.,.........|.=O&.......|.=O.s.Q...W.E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..j............{..P.r.o.v.i.d.e.r...G....=.......K...N.a.m.e.......O.n.e.A.p.p._.I.G.C.C._.W.i.n.S.e.r.v.i.c.e..A..M............a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\Security.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):13064
                                                                                                                                                                                      Entropy (8bit):4.162431562700685
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:tsvFROYBgotx3zgM7tX2o6Mty7o3opJLIVio9Mty5o9Mt9:uNfvytk
                                                                                                                                                                                      MD5:9439481F8B4407759D438EE6BAE4D831
                                                                                                                                                                                      SHA1:0E3D15841C95142FE956F62D5E5F8CF6F7388398
                                                                                                                                                                                      SHA-256:8F39CD36DC49314B79688663B41FA277EFB22703878D8BEB894F951A85AD68DF
                                                                                                                                                                                      SHA-512:16967DAC4505B172F3676FEACC1248E935F3A2FE642DBF6BF0861E18C4CDD91C47BE8D6141861E33AFBA6462AA1FD76AF327774B61516686C70B20FAC425C275
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk..................~.......~..........8!..H#...p.;.................................................................... Z.v................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................&...............................>.......................3...........................................................**.......~..........P............&...........0.P\...3.Du?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                                                                                                      C:\Windows\System32\winevt\Logs\System.evtx

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):76800
                                                                                                                                                                                      Entropy (8bit):4.403456814410914
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:wA4fA4GKhR8XwKiYI/fNrhB+p+ivrrflG/uIA4D:pTTKz8XwK+9Bjivrrfquh0
                                                                                                                                                                                      MD5:AC148EC2044597C979BD86182029684E
                                                                                                                                                                                      SHA1:0A014BBCB2B5753D1CB504FC1FB84C0B6435BEFB
                                                                                                                                                                                      SHA-256:90061066784AEDB3EBD731C0A0F2BC7B5F8039EAFFE89B905C4104B613A35F6F
                                                                                                                                                                                      SHA-512:C996D160BBFCCF4A4FD202CFB0CBACB37D951939FC51DD954EF28B3713E683B3099EE30D8335534E898465A8FC55E7994CCA1C8E66412979DFE59976F3743375
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:ElfChnk..................0.......0..............H....<.#.....................................................................Z......................s...h...................=...................................................N...............................i...............w.......0.......................E...................................W...........).......M...3...:...................................................................&...........................................................................**..@....0......R....P.........}.T&........}.TA.P[J.......;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                                                                                                      Static File Info

                                                                                                                                                                                      General

                                                                                                                                                                                      File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                      Entropy (8bit):6.335130602420154
                                                                                                                                                                                      TrID:
                                                                                                                                                                                      • Win64 Executable Console (202006/5) 92.65%
                                                                                                                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                      File name:hades.exe
                                                                                                                                                                                      File size:318'976 bytes
                                                                                                                                                                                      MD5:e73a9365e27c8d35b86435028297c506
                                                                                                                                                                                      SHA1:c0519c0219c6bd1111ae4388235297361b49aad9
                                                                                                                                                                                      SHA256:e800692d021ed87f0d691d915e76c794175b50b83681508f26330ddea56cb4e0
                                                                                                                                                                                      SHA512:da6f85b2d83ab0507c43cfd6275fe09f736e94df16bf2ac5bcbc9ce7217e5b5622e154f5d3f2c3856bad19241cfb0578e9950d5272660ca1877abcb27f57a754
                                                                                                                                                                                      SSDEEP:6144:IG9hTXK1XtpTjt9NgBnuQ6XODV2CT4O9QIaxkGT6kfcqw6z:nbTXK1XDTbNknuQKUEHIcou
                                                                                                                                                                                      TLSH:85644B19F94568ECE55BC078C2469A326632B4CD1B3279FB13D841387E6BAE86F3C744
                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d.[.d.[.d.[..o[.d.[...Z.d.[...Z.d.[...Z.d.[...Z.d.[.d.[.d.[.d.[.d.[...[.d.[...Z.d.[Rich.d.[........................PE..d..

                                                                                                                                                                                      File Icon

                                                                                                                                                                                      Icon Hash:f0ecd6ce8d8e878b

                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                      General

                                                                                                                                                                                      Entrypoint:0x140035220
                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                      Imagebase:0x140000000
                                                                                                                                                                                      Subsystem:windows cui
                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                      Time Stamp:0x676206FF [Tue Dec 17 23:19:27 2024 UTC]
                                                                                                                                                                                      TLS Callbacks:0x40027180, 0x1
                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                      Import Hash:c84c07dcbdb2da2b0f345abf5697420c

                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                      Instruction
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                      call 00007FD2D45C3C08h
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                      jmp 00007FD2D45C3797h
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      nop word ptr [eax+eax+00000000h]
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      sub esp, 10h
                                                                                                                                                                                      dec esp
                                                                                                                                                                                      mov dword ptr [esp], edx
                                                                                                                                                                                      dec esp
                                                                                                                                                                                      mov dword ptr [esp+08h], ebx
                                                                                                                                                                                      dec ebp
                                                                                                                                                                                      xor ebx, ebx
                                                                                                                                                                                      dec esp
                                                                                                                                                                                      lea edx, dword ptr [esp+18h]
                                                                                                                                                                                      dec esp
                                                                                                                                                                                      sub edx, eax
                                                                                                                                                                                      dec ebp
                                                                                                                                                                                      cmovb edx, ebx
                                                                                                                                                                                      dec esp
                                                                                                                                                                                      mov ebx, dword ptr [00000010h]
                                                                                                                                                                                      dec ebp
                                                                                                                                                                                      cmp edx, ebx
                                                                                                                                                                                      jnc 00007FD2D45C3938h
                                                                                                                                                                                      inc cx
                                                                                                                                                                                      and edx, 8D4DF000h
                                                                                                                                                                                      wait
                                                                                                                                                                                      add al, dh

                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                      Data Directories

                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4b1a40x140.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000xc00.rsrc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4d0000x1ea8.pdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000x660.reloc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x461500x54.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x462000x28.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x460100x140.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x390000x380.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                      Sections

                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                      .text0x10000x373af0x374003fb712f593c351d24dece8e9e0e720a9False0.46106564621040724data6.361508041288937IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rdata0x390000x12f4c0x130003110a201f50024e26286509ea6179da0False0.3753854851973684OpenPGP Secret Key Version 45.357322707856237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .data0x4c0000x3f80x200ae1bfe8e89a97dc0c45d367880a163edFalse0.251953125data1.781754577938833IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                      .pdata0x4d0000x1ea80x20002ebf2c72744e1ae873e238a2019ee89fFalse0.48193359375data5.42850217980828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rsrc0x4f0000xc000xc0060c4ed82c771ee830b2e1533748801c6False0.7421875data6.010929569363337IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .reloc0x500000x6600x800bbf3736fc816c39ace21cc581be6b927False0.54541015625data4.851186578418043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                      Resources

                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                      RT_ICON0x4f0c00xb28Device independent bitmap graphic, 21 x 64 x 32, image size 2688, resolution 3779 x 3779 px/mEnglishUnited States0.7629551820728291
                                                                                                                                                                                      RT_GROUP_ICON0x4fbe80x14dataEnglishUnited States1.1

                                                                                                                                                                                      Imports

                                                                                                                                                                                      DLLImport
                                                                                                                                                                                      api-ms-win-core-synch-l1-2-0.dllWakeByAddressAll, WaitOnAddress, WakeByAddressSingle
                                                                                                                                                                                      bcryptprimitives.dllProcessPrng
                                                                                                                                                                                      kernel32.dllGetCurrentDirectoryW, SetLastError, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, QueryPerformanceCounter, WaitForSingleObject, GetStdHandle, GetCurrentProcessId, GetCurrentThread, HeapReAlloc, lstrlenW, ReleaseMutex, SetThreadStackGuarantee, AddVectoredExceptionHandler, GetConsoleMode, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, GetProcAddress, HeapAlloc, GetSystemTimeAsFileTime, InitializeSListHead, CloseHandle, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, HeapFree, GetProcessHeap, FormatMessageW, LoadLibraryExA, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameW, GetLastError, GetCurrentProcess, VirtualQuery, GetModuleHandleA, GetModuleHandleW, OutputDebugStringW, GetEnvironmentVariableW, GetCurrentThreadId, IsProcessorFeaturePresent
                                                                                                                                                                                      advapi32.dllSystemFunction036, OpenProcessToken, LsaOpenPolicy, LookupPrivilegeValueW, GetTokenInformation, LsaAddAccountRights, LsaClose, AdjustTokenPrivileges
                                                                                                                                                                                      oleaut32.dllSysStringLen, GetErrorInfo, SysFreeString
                                                                                                                                                                                      api-ms-win-core-winrt-error-l1-1-0.dllRoOriginateErrorW
                                                                                                                                                                                      bcrypt.dllBCryptGenRandom
                                                                                                                                                                                      ntdll.dllNtWriteFile, RtlNtStatusToDosError
                                                                                                                                                                                      VCRUNTIME140.dllmemmove, memcpy, _CxxThrowException, memcmp, __CxxFrameHandler3, __current_exception_context, __current_exception, __C_specific_handler, memset
                                                                                                                                                                                      api-ms-win-crt-string-l1-1-0.dllstrlen
                                                                                                                                                                                      api-ms-win-crt-runtime-l1-1-0.dllexit, _exit, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _initterm_e, _initterm, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, _set_app_type, _configure_narrow_argv, _get_initial_narrow_environment, _initialize_narrow_environment
                                                                                                                                                                                      api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                                                                                                                                                      api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                                                                                                                                                                      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                                                                                                                                                      api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode

                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      Dec 18, 2024 00:33:14.524238110 CET4971380192.168.11.2074.125.139.94
                                                                                                                                                                                      Dec 18, 2024 00:33:14.669701099 CET804971374.125.139.94192.168.11.20
                                                                                                                                                                                      Dec 18, 2024 00:33:14.669868946 CET4971380192.168.11.2074.125.139.94
                                                                                                                                                                                      Dec 18, 2024 00:33:14.669994116 CET4971380192.168.11.2074.125.139.94
                                                                                                                                                                                      Dec 18, 2024 00:33:14.815368891 CET804971374.125.139.94192.168.11.20
                                                                                                                                                                                      Dec 18, 2024 00:33:14.816365004 CET804971374.125.139.94192.168.11.20
                                                                                                                                                                                      Dec 18, 2024 00:33:14.858082056 CET4971380192.168.11.2074.125.139.94
                                                                                                                                                                                      Dec 18, 2024 00:34:15.251106024 CET4971380192.168.11.2074.125.139.94
                                                                                                                                                                                      Dec 18, 2024 00:34:15.396879911 CET804971374.125.139.94192.168.11.20
                                                                                                                                                                                      Dec 18, 2024 00:34:15.397049904 CET4971380192.168.11.2074.125.139.94

                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      Dec 18, 2024 00:33:14.387676954 CET5664253192.168.11.201.1.1.1
                                                                                                                                                                                      Dec 18, 2024 00:33:14.523597002 CET53566421.1.1.1192.168.11.20

                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                      Dec 18, 2024 00:33:14.387676954 CET192.168.11.201.1.1.10x50baStandard query (0)c.pki.googA (IP address)IN (0x0001)false

                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                      Dec 18, 2024 00:33:13.946423054 CET1.1.1.1192.168.11.200xaae3No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                      Dec 18, 2024 00:33:13.946423054 CET1.1.1.1192.168.11.200xaae3No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                      Dec 18, 2024 00:33:14.523597002 CET1.1.1.1192.168.11.200x50baNo error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                      Dec 18, 2024 00:33:14.523597002 CET1.1.1.1192.168.11.200x50baNo error (0)pki-goog.l.google.com74.125.139.94A (IP address)IN (0x0001)false

                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                      • c.pki.goog

                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      0192.168.11.204971374.125.139.94803240C:\Windows\System32\svchost.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Dec 18, 2024 00:33:14.669994116 CET200OUTGET /r/r1.crl HTTP/1.1
                                                                                                                                                                                      Cache-Control: max-age = 3000
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Accept: */*
                                                                                                                                                                                      If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
                                                                                                                                                                                      User-Agent: Microsoft-CryptoAPI/10.0
                                                                                                                                                                                      Host: c.pki.goog
                                                                                                                                                                                      Dec 18, 2024 00:33:14.816365004 CET223INHTTP/1.1 304 Not Modified
                                                                                                                                                                                      Date: Tue, 17 Dec 2024 23:07:39 GMT
                                                                                                                                                                                      Expires: Tue, 17 Dec 2024 23:57:39 GMT
                                                                                                                                                                                      Age: 1535
                                                                                                                                                                                      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                                                                                                                                                      Cache-Control: public, max-age=3000
                                                                                                                                                                                      Vary: Accept-Encoding


                                                                                                                                                                                      Statistics

                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                      Behavior

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      System Behavior

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                      Start time:18:33:07
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Users\user\Desktop\hades.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\hades.exe"
                                                                                                                                                                                      Imagebase:0x7ff7cdad0000
                                                                                                                                                                                      File size:318'976 bytes
                                                                                                                                                                                      MD5 hash:E73A9365E27C8D35B86435028297C506
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.3067502015.000001409CDA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                      Start time:18:33:08
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff7109b0000
                                                                                                                                                                                      File size:875'008 bytes
                                                                                                                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                      Start time:18:33:08
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\winlogon.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:winlogon.exe
                                                                                                                                                                                      Imagebase:0x7ff6ee4d0000
                                                                                                                                                                                      File size:944'128 bytes
                                                                                                                                                                                      MD5 hash:A987B43E6A8E8F894B98A3DF022DB518
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                      Start time:18:33:09
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\lsass.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\lsass.exe
                                                                                                                                                                                      Imagebase:0x7ff6230e0000
                                                                                                                                                                                      File size:59'448 bytes
                                                                                                                                                                                      MD5 hash:15A556DEF233F112D127025AB51AC2D3
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                      Start time:18:33:09
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                      Start time:18:33:11
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"fontdrvhost.exe"
                                                                                                                                                                                      Imagebase:0x7ff695bf0000
                                                                                                                                                                                      File size:830'520 bytes
                                                                                                                                                                                      MD5 hash:AB7AB4CF816D091EEE234C1D9BC4FD13
                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                      Start time:18:33:11
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"fontdrvhost.exe"
                                                                                                                                                                                      Imagebase:0x7ff695bf0000
                                                                                                                                                                                      File size:830'520 bytes
                                                                                                                                                                                      MD5 hash:AB7AB4CF816D091EEE234C1D9BC4FD13
                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                      Start time:18:33:11
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k RPCSS -p
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                      Start time:18:33:12
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                      Start time:18:33:12
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                      Start time:18:33:12
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                      Start time:18:33:13
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\dwm.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"dwm.exe"
                                                                                                                                                                                      Imagebase:0x7ff615f40000
                                                                                                                                                                                      File size:94'720 bytes
                                                                                                                                                                                      MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                      Start time:18:33:17
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                      Start time:18:33:17
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                      Start time:18:33:17
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                      Start time:18:33:17
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                      Start time:18:33:18
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                      Start time:18:33:19
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
                                                                                                                                                                                      Imagebase:0x7ff78aa50000
                                                                                                                                                                                      File size:365'360 bytes
                                                                                                                                                                                      MD5 hash:B6BAD2BD8596D9101874E9042B8E2D63
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                      Start time:18:33:19
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                      Start time:18:33:19
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                      Start time:18:33:19
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:22
                                                                                                                                                                                      Start time:18:33:20
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:23
                                                                                                                                                                                      Start time:18:33:21
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:24
                                                                                                                                                                                      Start time:18:33:21
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:25
                                                                                                                                                                                      Start time:18:33:21
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
                                                                                                                                                                                      Imagebase:0x7ff65a340000
                                                                                                                                                                                      File size:521'536 bytes
                                                                                                                                                                                      MD5 hash:3B0DF35583675DE5A08E8D4C1271CEC0
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:26
                                                                                                                                                                                      Start time:18:33:22
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
                                                                                                                                                                                      Imagebase:0x7ff721260000
                                                                                                                                                                                      File size:399'664 bytes
                                                                                                                                                                                      MD5 hash:91038D45A86B5465E8B7E5CD63187150
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                      Start time:18:33:22
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:28
                                                                                                                                                                                      Start time:18:33:22
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:29
                                                                                                                                                                                      Start time:18:33:23
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:31
                                                                                                                                                                                      Start time:18:33:23
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:34
                                                                                                                                                                                      Start time:18:33:24
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:35
                                                                                                                                                                                      Start time:18:33:24
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:36
                                                                                                                                                                                      Start time:18:33:24
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:37
                                                                                                                                                                                      Start time:18:33:24
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:39
                                                                                                                                                                                      Start time:18:33:25
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                                                                                                      Imagebase:0x7ff636c90000
                                                                                                                                                                                      File size:57'360 bytes
                                                                                                                                                                                      MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:40
                                                                                                                                                                                      Start time:18:33:25
                                                                                                                                                                                      Start date:17/12/2024
                                                                                                                                                                                      Path:C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe
                                                                                                                                                                                      Imagebase:0x15a9d8c0000
                                                                                                                                                                                      File size:87'872 bytes
                                                                                                                                                                                      MD5 hash:E9989DBE1A9F598479E9F68475D3C31A
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                      Disassembly

                                                                                                                                                                                      Reset < >

                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                        Execution Coverage:15%
                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                        Signature Coverage:41%
                                                                                                                                                                                        Total number of Nodes:1111
                                                                                                                                                                                        Total number of Limit Nodes:111
                                                                                                                                                                                        execution_graph 5646 7ff7cdae3ed0 5647 7ff7cdae3ef2 5646->5647 5648 7ff7cdae3f0c 5646->5648 5652 7ff7cdae5d80 5647->5652 5653 7ff7cdae63f0 34 API calls 5652->5653 5654 7ff7cdae5db2 RoOriginateErrorW 5653->5654 5655 7ff7cdae3f05 5654->5655 5656 7ff7cdae5a40 GetErrorInfo 5655->5656 5656->5648 5657 7ff7cdae3e90 5658 7ff7cdae3eaf 5657->5658 5659 7ff7cdae3e9a 5657->5659 5660 7ff7cdae5d80 35 API calls 5659->5660 5661 7ff7cdae3ea1 5660->5661 5664 7ff7cdae5a40 GetErrorInfo 5661->5664 5663 7ff7cdae3ea8 5664->5663 5665 7ff7cdadbe90 5666 7ff7cdafed90 32 API calls 5665->5666 5667 7ff7cdadbeea memset 5666->5667 5668 7ff7cdadbfba OutputDebugStringW 5667->5668 5670 7ff7cdadbf1f 5667->5670 5669 7ff7cdadbfd6 5668->5669 5671 7ff7cdae5d80 35 API calls 5669->5671 5670->5668 5672 7ff7cdadbffb 5671->5672 5675 7ff7cdae5a40 GetErrorInfo 5672->5675 5674 7ff7cdadc005 5675->5674 5687 7ff7cdae0950 5688 7ff7cdae097e 5687->5688 5689 7ff7cdae0987 GetModuleFileNameW 5688->5689 5698 7ff7cdae0a72 5688->5698 5691 7ff7cdae09a3 5689->5691 5694 7ff7cdae0a13 5689->5694 5690 7ff7cdb07e13 32 API calls 5696 7ff7cdae0a8a 5690->5696 5692 7ff7cdae09b4 5691->5692 5693 7ff7cdae0a5e 5691->5693 5697 7ff7cdb064d0 32 API calls 5692->5697 5695 7ff7cdb08300 32 API calls 5693->5695 5695->5698 5699 7ff7cdae09f4 5697->5699 5698->5690 5701 7ff7cdae34c0 5699->5701 5706 7ff7cdae34f3 5701->5706 5702 7ff7cdae37be 5702->5694 5703 7ff7cdafece0 32 API calls 5703->5706 5704 7ff7cdae3777 memmove 5704->5706 5705 7ff7cdb064d0 32 API calls 5705->5706 5706->5702 5706->5703 5706->5704 5706->5705 5098 7ff7cdad2a50 5099 7ff7cdad6d20 36 API calls 5098->5099 5100 7ff7cdad2a93 5099->5100 5101 7ff7cdad2b63 5100->5101 5102 7ff7cdad2a9d 5100->5102 5215 7ff7cdad5380 5101->5215 5103 7ff7cdafed90 32 API calls 5102->5103 5105 7ff7cdad2b09 memset 5103->5105 5107 7ff7cdad2daa OutputDebugStringW 5105->5107 5114 7ff7cdad2b3e 5105->5114 5106 7ff7cdad2b78 5108 7ff7cdad2b81 5106->5108 5109 7ff7cdad2c59 5106->5109 5175 7ff7cdad2dca 5107->5175 5110 7ff7cdafed90 32 API calls 5108->5110 5111 7ff7cdafed90 32 API calls 5109->5111 5112 7ff7cdad2bf2 memset 5110->5112 5113 7ff7cdad2cc2 memset 5111->5113 5115 7ff7cdad2e8a OutputDebugStringW 5112->5115 5125 7ff7cdad2c34 5112->5125 5117 7ff7cdad337a OutputDebugStringW 5113->5117 5124 7ff7cdad2cf7 5113->5124 5114->5107 5118 7ff7cdad2ea6 5115->5118 5119 7ff7cdad339a 5117->5119 5220 7ff7cdae4650 5118->5220 5121 7ff7cdad5380 32 API calls 5119->5121 5122 7ff7cdad33b3 5121->5122 5126 7ff7cdad39e1 5122->5126 5128 7ff7cdafed90 32 API calls 5122->5128 5123 7ff7cdad2ef9 5127 7ff7cdad2f1c GetModuleHandleW 5123->5127 5317 7ff7cdaef080 5123->5317 5124->5117 5125->5115 5132 7ff7cdad5380 32 API calls 5126->5132 5130 7ff7cdad3029 5127->5130 5131 7ff7cdad2f49 5127->5131 5133 7ff7cdad342d memset 5128->5133 5327 7ff7cdae5780 GetLastError 5130->5327 5134 7ff7cdafed90 32 API calls 5131->5134 5136 7ff7cdad39ec 5132->5136 5139 7ff7cdad351a OutputDebugStringW 5133->5139 5157 7ff7cdad346f 5133->5157 5140 7ff7cdad2fbb memset 5134->5140 5137 7ff7cdad39f5 5136->5137 5138 7ff7cdad3adc 5136->5138 5143 7ff7cdafed90 32 API calls 5137->5143 5144 7ff7cdafed90 32 API calls 5138->5144 5146 7ff7cdad3536 5139->5146 5145 7ff7cdad31ba OutputDebugStringW 5140->5145 5159 7ff7cdad3004 5140->5159 5141 7ff7cdad302e 5141->5131 5142 7ff7cdad3036 5141->5142 5147 7ff7cdafed90 32 API calls 5142->5147 5148 7ff7cdad3a7c memset 5143->5148 5149 7ff7cdad3b45 memset 5144->5149 5165 7ff7cdad31d6 5145->5165 5150 7ff7cdad362b memset 5146->5150 5151 7ff7cdad356c 5146->5151 5153 7ff7cdad30bf memset 5147->5153 5154 7ff7cdad3eda OutputDebugStringW 5148->5154 5167 7ff7cdad3ab7 5148->5167 5156 7ff7cdad3fba OutputDebugStringW 5149->5156 5168 7ff7cdad3b7a 5149->5168 5155 7ff7cdad39d4 OutputDebugStringW 5150->5155 5152 7ff7cdafed90 32 API calls 5151->5152 5161 7ff7cdad35c4 memset 5152->5161 5158 7ff7cdad414a OutputDebugStringW 5153->5158 5172 7ff7cdad3108 5153->5172 5160 7ff7cdad376d 5154->5160 5155->5126 5156->5160 5157->5139 5158->5165 5159->5145 5163 7ff7cdad380a OutputDebugStringW 5161->5163 5173 7ff7cdad3606 5161->5173 5162 7ff7cdad321b 5164 7ff7cdafed90 32 API calls 5162->5164 5166 7ff7cdad3826 5163->5166 5169 7ff7cdad3284 memset 5164->5169 5165->5119 5165->5162 5170 7ff7cdad2640 49 API calls 5166->5170 5167->5154 5168->5156 5171 7ff7cdad371a OutputDebugStringW 5169->5171 5178 7ff7cdad32b9 5169->5178 5174 7ff7cdad3866 5170->5174 5171->5175 5172->5158 5173->5163 5176 7ff7cdad5ac0 87 API calls 5174->5176 5228 7ff7cdad4920 5175->5228 5177 7ff7cdad387b 5176->5177 5179 7ff7cdad3885 memset 5177->5179 5180 7ff7cdad3979 memset 5177->5180 5178->5171 5185 7ff7cdad38c0 5179->5185 5180->5155 5181 7ff7cdad3d0a 5182 7ff7cdad3fe3 5181->5182 5183 7ff7cdad3d5f 5181->5183 5186 7ff7cdafed90 32 API calls 5182->5186 5184 7ff7cdafed90 32 API calls 5183->5184 5188 7ff7cdad3de0 memset 5184->5188 5185->5181 5328 7ff7cdb08054 5185->5328 5189 7ff7cdad4048 memset 5186->5189 5190 7ff7cdad423a OutputDebugStringW 5188->5190 5194 7ff7cdad3e1b 5188->5194 5191 7ff7cdad430a OutputDebugStringW 5189->5191 5195 7ff7cdad408a 5189->5195 5190->5126 5192 7ff7cdad4326 5191->5192 5263 7ff7cdafef50 5192->5263 5194->5190 5195->5191 5196 7ff7cdad469d 5198 7ff7cdb07e13 32 API calls 5196->5198 5197 7ff7cdad43b2 memmove 5201 7ff7cdad43e1 5197->5201 5200 7ff7cdad46c7 5198->5200 5199 7ff7cdad4351 5199->5196 5199->5197 5202 7ff7cdad6d20 36 API calls 5201->5202 5203 7ff7cdad44ae 5202->5203 5204 7ff7cdad458f 5203->5204 5205 7ff7cdad44b8 5203->5205 5207 7ff7cdafed90 32 API calls 5204->5207 5206 7ff7cdafed90 32 API calls 5205->5206 5208 7ff7cdad4540 5206->5208 5209 7ff7cdad4617 5207->5209 5210 7ff7cdae0b00 2 API calls 5208->5210 5296 7ff7cdae0b00 memset 5209->5296 5214 7ff7cdad4568 5210->5214 5212 7ff7cdad463f 5299 7ff7cdad6990 5212->5299 5214->5126 5214->5196 5216 7ff7cdad539f 5215->5216 5217 7ff7cdb07e30 32 API calls 5216->5217 5219 7ff7cdad53a8 5216->5219 5218 7ff7cdad54f7 5217->5218 5219->5106 5223 7ff7cdae467a 5220->5223 5221 7ff7cdae4885 5221->5123 5222 7ff7cdae4995 5224 7ff7cdb07e13 32 API calls 5222->5224 5223->5221 5223->5222 5226 7ff7cdae4703 5223->5226 5225 7ff7cdae49ad 5224->5225 5225->5123 5226->5221 5331 7ff7cdb064d0 5226->5331 5229 7ff7cdad1e60 43 API calls 5228->5229 5230 7ff7cdad4961 5229->5230 5231 7ff7cdad4974 5230->5231 5232 7ff7cdad4a2b 5230->5232 5233 7ff7cdafed90 32 API calls 5231->5233 5234 7ff7cdadfa90 47 API calls 5232->5234 5235 7ff7cdad49ce memset 5233->5235 5236 7ff7cdad4a76 5234->5236 5239 7ff7cdad4d0a OutputDebugStringW 5235->5239 5242 7ff7cdad4a06 5235->5242 5237 7ff7cdad4a83 5236->5237 5238 7ff7cdad4b82 5236->5238 5240 7ff7cdafed90 32 API calls 5237->5240 5244 7ff7cdad4bc1 5238->5244 5245 7ff7cdad4d39 5238->5245 5254 7ff7cdad4d2b 5239->5254 5241 7ff7cdad4b17 memset 5240->5241 5243 7ff7cdad4eda OutputDebugStringW 5241->5243 5253 7ff7cdad4b5d 5241->5253 5242->5239 5243->5254 5247 7ff7cdafed90 32 API calls 5244->5247 5246 7ff7cdad5500 42 API calls 5245->5246 5248 7ff7cdad4d5d 5246->5248 5249 7ff7cdad4c14 memset 5247->5249 5250 7ff7cdad4f23 5248->5250 5251 7ff7cdad4d74 5248->5251 5252 7ff7cdad507a OutputDebugStringW 5249->5252 5260 7ff7cdad4c61 5249->5260 5255 7ff7cdafed90 32 API calls 5250->5255 5256 7ff7cdafed90 32 API calls 5251->5256 5252->5254 5253->5243 5254->5160 5257 7ff7cdad4f8b memset 5255->5257 5258 7ff7cdad4ddc memset 5256->5258 5259 7ff7cdad520a OutputDebugStringW 5257->5259 5262 7ff7cdad4e29 5257->5262 5258->5259 5258->5262 5261 7ff7cdad5220 5259->5261 5260->5252 5262->5259 5264 7ff7cdaffab9 5263->5264 5266 7ff7cdafef7f 5263->5266 5265 7ff7cdb07e13 32 API calls 5264->5265 5295 7ff7cdaff52d 5265->5295 5266->5264 5269 7ff7cdafefae 5266->5269 5267 7ff7cdb08360 32 API calls 5270 7ff7cdaffab7 5267->5270 5271 7ff7cdaff1bc 5269->5271 5274 7ff7cdafece0 32 API calls 5269->5274 5275 7ff7cdaffa14 5269->5275 5276 7ff7cdaff9d1 5269->5276 5277 7ff7cdaff5a8 memmove 5269->5277 5279 7ff7cdaff7f1 memmove 5269->5279 5280 7ff7cdaffa34 5269->5280 5283 7ff7cdb049e0 32 API calls 5269->5283 5284 7ff7cdaff9e0 5269->5284 5285 7ff7cdaff6a0 memmove 5269->5285 5286 7ff7cdaffa4c 5269->5286 5287 7ff7cdaff0ef memmove 5269->5287 5288 7ff7cdb04b60 32 API calls 5269->5288 5291 7ff7cdaff9fc 5269->5291 5292 7ff7cdaff740 memmove 5269->5292 5293 7ff7cdaffa64 5269->5293 5269->5295 5338 7ff7cdb04e60 5269->5338 5354 7ff7cdb07d70 5269->5354 5270->5199 5364 7ff7cdb08360 5271->5364 5274->5269 5278 7ff7cdb07d70 32 API calls 5275->5278 5281 7ff7cdb07d70 32 API calls 5276->5281 5277->5269 5278->5280 5279->5269 5282 7ff7cdb07d70 32 API calls 5280->5282 5281->5284 5282->5286 5283->5269 5289 7ff7cdb07d70 32 API calls 5284->5289 5285->5269 5290 7ff7cdb07d70 32 API calls 5286->5290 5287->5269 5288->5269 5289->5291 5290->5293 5294 7ff7cdb07d70 32 API calls 5291->5294 5292->5269 5293->5199 5294->5275 5295->5267 5297 7ff7cdae0bda OutputDebugStringW 5296->5297 5298 7ff7cdae0b3a 5296->5298 5297->5212 5298->5297 5300 7ff7cdad69da 5299->5300 5306 7ff7cdad6bf2 5299->5306 5301 7ff7cdad69ef 5300->5301 5303 7ff7cdb07040 2 API calls 5300->5303 5304 7ff7cdad6c53 5301->5304 5305 7ff7cdad6a1b 5301->5305 5302 7ff7cdb07110 3 API calls 5302->5301 5303->5306 5307 7ff7cdb08260 32 API calls 5304->5307 5401 7ff7cdae38d0 5305->5401 5306->5302 5315 7ff7cdad6ba0 5307->5315 5310 7ff7cdafed90 32 API calls 5312 7ff7cdad6aae memset 5310->5312 5314 7ff7cdad6b8a OutputDebugStringW 5312->5314 5316 7ff7cdad6aed 5312->5316 5313 7ff7cdad6bdc 5313->5214 5314->5315 5315->5313 5405 7ff7cdb07100 WakeByAddressSingle 5315->5405 5316->5314 5318 7ff7cdaef09d 5317->5318 5319 7ff7cdaef120 5317->5319 5318->5319 5324 7ff7cdaef0c3 5318->5324 5320 7ff7cdb07e13 32 API calls 5319->5320 5321 7ff7cdaef106 5320->5321 5322 7ff7cdb07e13 32 API calls 5321->5322 5326 7ff7cdaef10c 5321->5326 5323 7ff7cdaef13a 5322->5323 5324->5321 5325 7ff7cdb06b10 RtlReAllocateHeap 5324->5325 5325->5321 5326->5127 5327->5141 5329 7ff7cdb07f30 32 API calls 5328->5329 5330 7ff7cdb080b7 5329->5330 5332 7ff7cdb064e7 5331->5332 5333 7ff7cdb07e13 32 API calls 5332->5333 5336 7ff7cdb0653d 5332->5336 5333->5336 5334 7ff7cdb07e13 32 API calls 5335 7ff7cdb065c8 5334->5335 5336->5334 5337 7ff7cdb06591 5336->5337 5337->5226 5339 7ff7cdb04e8e 5338->5339 5340 7ff7cdb04e72 5338->5340 5339->5340 5341 7ff7cdb08054 32 API calls 5339->5341 5340->5269 5342 7ff7cdb04fb5 5341->5342 5366 7ff7cdb05344 5342->5366 5344 7ff7cdb05057 5353 7ff7cdb05065 5344->5353 5375 7ff7cdb05634 IsProcessorFeaturePresent 5344->5375 5346 7ff7cdb05075 5346->5269 5347 7ff7cdb04ff4 5347->5344 5374 7ff7cdb055cc InitializeSListHead 5347->5374 5353->5269 5355 7ff7cdb07d81 5354->5355 5356 7ff7cdb07df0 5354->5356 5355->5356 5358 7ff7cdb07da4 5355->5358 5357 7ff7cdb07e13 32 API calls 5356->5357 5359 7ff7cdb07dd7 5357->5359 5361 7ff7cdb06b10 RtlReAllocateHeap 5358->5361 5360 7ff7cdb07e13 32 API calls 5359->5360 5363 7ff7cdb07ddd 5359->5363 5362 7ff7cdb07e12 5360->5362 5361->5359 5363->5269 5381 7ff7cdb03730 5364->5381 5367 7ff7cdb05355 5366->5367 5368 7ff7cdb05387 5366->5368 5369 7ff7cdb053c4 5367->5369 5371 7ff7cdb0535a 5367->5371 5368->5347 5370 7ff7cdb05634 9 API calls 5369->5370 5373 7ff7cdb053ce 5370->5373 5371->5368 5372 7ff7cdb05377 _initialize_onexit_table 5371->5372 5372->5368 5373->5347 5376 7ff7cdb0565a 5375->5376 5377 7ff7cdb05668 memset RtlCaptureContext RtlLookupFunctionEntry 5376->5377 5378 7ff7cdb056a2 RtlVirtualUnwind 5377->5378 5379 7ff7cdb056de memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5377->5379 5378->5379 5380 7ff7cdb0575e 5379->5380 5380->5346 5382 7ff7cdb03759 5381->5382 5392 7ff7cdb0379b 5381->5392 5384 7ff7cdb08360 32 API calls 5382->5384 5382->5392 5383 7ff7cdb03a38 5385 7ff7cdb07f30 32 API calls 5383->5385 5384->5392 5386 7ff7cdb03aac 5385->5386 5387 7ff7cdb07f30 32 API calls 5386->5387 5388 7ff7cdb03b21 5387->5388 5389 7ff7cdb08310 32 API calls 5388->5389 5390 7ff7cdb03b33 5389->5390 5392->5383 5392->5386 5392->5388 5393 7ff7cdb038df 5392->5393 5394 7ff7cdb08360 32 API calls 5392->5394 5396 7ff7cdb07eb0 5392->5396 5395 7ff7cdb07f30 32 API calls 5393->5395 5394->5392 5395->5383 5397 7ff7cdb07fd0 32 API calls 5396->5397 5398 7ff7cdb07ece 5397->5398 5399 7ff7cdb07f30 32 API calls 5398->5399 5400 7ff7cdb07f2c 5399->5400 5402 7ff7cdae3b0f 5401->5402 5404 7ff7cdad6a38 5401->5404 5406 7ff7cdb05ba0 5402->5406 5404->5310 5407 7ff7cdb05cc3 5406->5407 5408 7ff7cdb05bcc 5406->5408 5422 7ff7cdafebc0 5407->5422 5409 7ff7cdb05c1b 5408->5409 5412 7ff7cdb05bf5 5408->5412 5418 7ff7cdae0ce0 5409->5418 5412->5407 5413 7ff7cdb05ccf 5412->5413 5414 7ff7cdb05f76 5413->5414 5415 7ff7cdb05cf9 memset 5413->5415 5427 7ff7cdafec10 5414->5427 5417 7ff7cdb05c3b 5415->5417 5417->5404 5417->5417 5419 7ff7cdae0d32 5418->5419 5420 7ff7cdae1136 memmove 5419->5420 5421 7ff7cdae0dcc 5419->5421 5420->5421 5421->5417 5423 7ff7cdafebd6 5422->5423 5424 7ff7cdafebce 5422->5424 5425 7ff7cdb07f30 32 API calls 5423->5425 5424->5417 5426 7ff7cdafec08 5425->5426 5428 7ff7cdafec1e 5427->5428 5429 7ff7cdafec2a 5427->5429 5428->5417 5430 7ff7cdb07e30 32 API calls 5429->5430 5431 7ff7cdafec35 5430->5431 5707 7ff7cdad1250 5709 7ff7cdad1261 5707->5709 5708 7ff7cdad128a 5709->5708 5710 7ff7cdb076d9 5709->5710 5711 7ff7cdb07647 5709->5711 5712 7ff7cdb07fd0 32 API calls 5710->5712 5713 7ff7cdb0766f 5711->5713 5716 7ff7cdb0765a WakeByAddressSingle 5711->5716 5714 7ff7cdb076f1 5712->5714 5715 7ff7cdb07679 5713->5715 5717 7ff7cdb0768e 5713->5717 5718 7ff7cdb076a0 WakeByAddressSingle 5713->5718 5715->5717 5719 7ff7cdb076c4 WakeByAddressAll 5715->5719 5718->5717 5718->5719 5719->5717 5720 7ff7cdad1dd0 5721 7ff7cdae3460 35 API calls 5720->5721 5722 7ff7cdad1df5 5721->5722 5752 7ff7cdad6cb0 5755 7ff7cdad1190 5752->5755 5756 7ff7cdad119a 5755->5756 5757 7ff7cdad11b4 5756->5757 5758 7ff7cdb07100 WakeByAddressSingle 5756->5758 5766 7ff7cdad1230 5767 7ff7cdad124e 5766->5767 5768 7ff7cdb076d9 5767->5768 5769 7ff7cdb07647 5767->5769 5770 7ff7cdb07fd0 32 API calls 5768->5770 5771 7ff7cdb0766f 5769->5771 5774 7ff7cdb0765a WakeByAddressSingle 5769->5774 5772 7ff7cdb076f1 5770->5772 5773 7ff7cdb07679 5771->5773 5775 7ff7cdb0768e 5771->5775 5776 7ff7cdb076a0 WakeByAddressSingle 5771->5776 5773->5775 5777 7ff7cdb076c4 WakeByAddressAll 5773->5777 5776->5775 5776->5777 5777->5775 5489 7ff7cdb06b90 5490 7ff7cdb06c4d 5489->5490 5491 7ff7cdb06ba8 5489->5491 5492 7ff7cdb07e13 32 API calls 5490->5492 5491->5490 5495 7ff7cdb06bec 5491->5495 5493 7ff7cdb06c34 5492->5493 5494 7ff7cdb07e13 32 API calls 5493->5494 5502 7ff7cdb06c3a 5493->5502 5503 7ff7cdb06c6f 5494->5503 5495->5493 5496 7ff7cdb06b10 RtlReAllocateHeap 5495->5496 5496->5493 5497 7ff7cdb06d97 5498 7ff7cdb06d27 5497->5498 5499 7ff7cdb07f30 32 API calls 5497->5499 5501 7ff7cdaf17a0 32 API calls 5498->5501 5508 7ff7cdb06d53 5498->5508 5499->5498 5505 7ff7cdb06e0a 5501->5505 5503->5497 5504 7ff7cdb06d92 5503->5504 5519 7ff7cdb00250 5503->5519 5510 7ff7cdb06e20 5504->5510 5507 7ff7cdb06d02 5507->5498 5509 7ff7cdb07e30 32 API calls 5507->5509 5509->5504 5511 7ff7cdb07f30 31 API calls 5510->5511 5512 7ff7cdb06e5c 5511->5512 5513 7ff7cdb06e8d 5512->5513 5524 7ff7cdaf0140 5512->5524 5515 7ff7cdb06e9d memmove 5513->5515 5516 7ff7cdb06ebb 5513->5516 5517 7ff7cdb06ecb 5513->5517 5515->5517 5531 7ff7cdaf1480 5516->5531 5517->5497 5520 7ff7cdb00286 5519->5520 5521 7ff7cdb0029b 5519->5521 5520->5507 5522 7ff7cdb08260 32 API calls 5521->5522 5523 7ff7cdb002c3 5522->5523 5523->5507 5526 7ff7cdaf018c 5524->5526 5527 7ff7cdaf02d1 5526->5527 5538 7ff7cdaf6060 5526->5538 5528 7ff7cdb08300 32 API calls 5527->5528 5529 7ff7cdaf02f0 5527->5529 5530 7ff7cdaf034d 5528->5530 5529->5513 5530->5513 5532 7ff7cdaf15a2 5531->5532 5534 7ff7cdaf14a2 5531->5534 5532->5517 5533 7ff7cdaf6060 32 API calls 5533->5534 5534->5532 5534->5533 5535 7ff7cdaf15b9 5534->5535 5536 7ff7cdb082f0 32 API calls 5535->5536 5537 7ff7cdaf15cb 5536->5537 5537->5517 5539 7ff7cdaf6082 GetStdHandle 5538->5539 5554 7ff7cdaf60be 5538->5554 5540 7ff7cdaf609e 5539->5540 5539->5554 5541 7ff7cdaf60d6 GetConsoleMode 5540->5541 5542 7ff7cdaf60a4 GetLastError 5540->5542 5543 7ff7cdaf60ee 5541->5543 5544 7ff7cdaf6147 5541->5544 5542->5554 5545 7ff7cdaf60f7 5543->5545 5552 7ff7cdaf6161 5543->5552 5592 7ff7cdaf5b60 NtWriteFile 5544->5592 5547 7ff7cdaf626f 5545->5547 5548 7ff7cdaf6100 5545->5548 5550 7ff7cdb07f30 28 API calls 5547->5550 5553 7ff7cdaf62a1 5548->5553 5548->5554 5560 7ff7cdaf61e4 5548->5560 5549 7ff7cdaf615c 5549->5554 5550->5553 5551 7ff7cdaf61b0 5571 7ff7cdaf6380 5551->5571 5552->5551 5552->5554 5556 7ff7cdaf62b8 5552->5556 5557 7ff7cdaf619a 5552->5557 5555 7ff7cdb08300 28 API calls 5553->5555 5554->5526 5555->5556 5559 7ff7cdb08300 28 API calls 5556->5559 5557->5551 5564 7ff7cdaf631b 5557->5564 5561 7ff7cdaf62cd 5559->5561 5560->5554 5560->5561 5562 7ff7cdaf620f 5560->5562 5563 7ff7cdb080d2 28 API calls 5561->5563 5565 7ff7cdaf6380 28 API calls 5562->5565 5566 7ff7cdaf62f4 5563->5566 5567 7ff7cdb08260 28 API calls 5564->5567 5568 7ff7cdaf621a 5565->5568 5569 7ff7cdb080d2 28 API calls 5566->5569 5570 7ff7cdaf634b CloseHandle 5567->5570 5568->5554 5568->5566 5569->5564 5570->5526 5575 7ff7cdaf6390 5571->5575 5572 7ff7cdaf63e7 MultiByteToWideChar 5573 7ff7cdaf6413 5572->5573 5574 7ff7cdaf655a 5572->5574 5576 7ff7cdaf6421 WriteConsoleW 5573->5576 5577 7ff7cdaf659b 5573->5577 5578 7ff7cdb07f30 27 API calls 5574->5578 5575->5572 5582 7ff7cdaf65c1 5575->5582 5579 7ff7cdaf6453 5576->5579 5580 7ff7cdaf652e GetLastError 5576->5580 5581 7ff7cdb08300 27 API calls 5577->5581 5578->5577 5583 7ff7cdaf64bd 5579->5583 5585 7ff7cdaf65db 5579->5585 5588 7ff7cdaf647c WriteConsoleW 5579->5588 5591 7ff7cdaf64c6 5579->5591 5580->5591 5581->5583 5584 7ff7cdb08360 27 API calls 5582->5584 5586 7ff7cdb08300 27 API calls 5583->5586 5583->5591 5584->5585 5587 7ff7cdb08054 27 API calls 5585->5587 5586->5582 5589 7ff7cdaf65ed 5587->5589 5588->5583 5590 7ff7cdaf64b7 GetLastError 5588->5590 5590->5583 5591->5554 5593 7ff7cdaf5bf6 5592->5593 5594 7ff7cdaf5bde WaitForSingleObject 5592->5594 5596 7ff7cdaf5c02 RtlNtStatusToDosError 5593->5596 5597 7ff7cdaf5bfa 5593->5597 5594->5593 5595 7ff7cdaf5c23 5594->5595 5598 7ff7cdaf17a0 26 API calls 5595->5598 5596->5597 5597->5549 5599 7ff7cdaf5c5d 5598->5599 5600 7ff7cdaf5d05 FormatMessageW 5599->5600 5601 7ff7cdaf5cd5 GetModuleHandleW 5599->5601 5603 7ff7cdaf5d32 5600->5603 5604 7ff7cdaf5dbe GetLastError 5600->5604 5602 7ff7cdaf5ce7 5601->5602 5602->5600 5605 7ff7cdaf5ff1 5603->5605 5606 7ff7cdaf5d40 5603->5606 5607 7ff7cdaf5d63 5604->5607 5608 7ff7cdb08300 26 API calls 5605->5608 5616 7ff7cdaffdd0 5606->5616 5610 7ff7cdafed90 26 API calls 5607->5610 5611 7ff7cdaf6008 5608->5611 5613 7ff7cdaf5e47 5610->5613 5611->5549 5612 7ff7cdaf5d50 5612->5607 5614 7ff7cdaf5e4c 5612->5614 5613->5549 5614->5613 5615 7ff7cdb07fd0 26 API calls 5614->5615 5615->5613 5617 7ff7cdb00050 5616->5617 5619 7ff7cdaffdf9 5616->5619 5618 7ff7cdb07e13 31 API calls 5617->5618 5620 7ff7cdb00065 5618->5620 5619->5617 5621 7ff7cdaffe24 5619->5621 5620->5612 5622 7ff7cdafffe4 5621->5622 5624 7ff7cdafffc4 memmove 5621->5624 5625 7ff7cdb07d70 31 API calls 5621->5625 5626 7ff7cdafece0 5621->5626 5622->5612 5624->5621 5624->5622 5625->5621 5627 7ff7cdafed6a 5626->5627 5628 7ff7cdafecf9 5626->5628 5629 7ff7cdb07e13 32 API calls 5627->5629 5628->5627 5630 7ff7cdafed1d 5628->5630 5634 7ff7cdafed50 5629->5634 5632 7ff7cdb06b10 RtlReAllocateHeap 5630->5632 5631 7ff7cdb07e13 32 API calls 5633 7ff7cdafed84 5631->5633 5632->5634 5634->5631 5635 7ff7cdafed56 5634->5635 5635->5621 5636 7ff7cdb07d70 5637 7ff7cdb07d81 5636->5637 5638 7ff7cdb07df0 5636->5638 5637->5638 5640 7ff7cdb07da4 5637->5640 5639 7ff7cdb07e13 32 API calls 5638->5639 5641 7ff7cdb07dd7 5639->5641 5643 7ff7cdb06b10 RtlReAllocateHeap 5640->5643 5642 7ff7cdb07e13 32 API calls 5641->5642 5645 7ff7cdb07ddd 5641->5645 5644 7ff7cdb07e12 5642->5644 5643->5641 4514 7ff7cdae5d80 4518 7ff7cdae63f0 4514->4518 4517 7ff7cdae5dd0 4521 7ff7cdae641a 4518->4521 4519 7ff7cdae5db2 RoOriginateErrorW 4519->4517 4520 7ff7cdae6745 4546 7ff7cdb07e13 4520->4546 4521->4519 4521->4520 4524 7ff7cdae64a3 4521->4524 4524->4519 4526 7ff7cdb065d0 4524->4526 4527 7ff7cdb065e2 4526->4527 4528 7ff7cdb07e13 32 API calls 4527->4528 4530 7ff7cdb0662a 4527->4530 4528->4530 4529 7ff7cdb07e13 32 API calls 4531 7ff7cdb066b5 4529->4531 4530->4529 4536 7ff7cdb0667e 4530->4536 4552 7ff7cdae99c0 4531->4552 4533 7ff7cdb066fb 4534 7ff7cdb068d6 4533->4534 4535 7ff7cdb06704 4533->4535 4573 7ff7cdb07f30 4534->4573 4559 7ff7cdae9710 4535->4559 4536->4524 4539 7ff7cdb0672e 4540 7ff7cdb06927 4539->4540 4542 7ff7cdb06765 4539->4542 4576 7ff7cdb07e30 4540->4576 4545 7ff7cdb0686e 4542->4545 4566 7ff7cdaf7010 4542->4566 4545->4524 4547 7ff7cdb07e22 4546->4547 4548 7ff7cdb07e2a 4546->4548 4829 7ff7cdafeca0 4547->4829 4550 7ff7cdb07e30 32 API calls 4548->4550 4551 7ff7cdb07e2f 4550->4551 4553 7ff7cdae99ca 4552->4553 4555 7ff7cdae99f6 4552->4555 4584 7ff7cdae9c30 4553->4584 4555->4533 4556 7ff7cdae99d5 4556->4555 4557 7ff7cdb07e30 32 API calls 4556->4557 4558 7ff7cdae9a18 4557->4558 4558->4533 4562 7ff7cdae9728 4559->4562 4560 7ff7cdae9735 4560->4539 4561 7ff7cdae9792 4561->4560 4594 7ff7cdb08300 4561->4594 4562->4560 4562->4561 4589 7ff7cdb08310 4562->4589 4567 7ff7cdaf70eb 4566->4567 4568 7ff7cdaf7049 4566->4568 4613 7ff7cdaf17a0 4567->4613 4569 7ff7cdaf70a7 4568->4569 4603 7ff7cdaeefb0 4568->4603 4569->4545 4572 7ff7cdaf7125 4572->4545 4622 7ff7cdaf4980 4573->4622 4575 7ff7cdb07f51 4577 7ff7cdb07e48 4576->4577 4578 7ff7cdb07f30 32 API calls 4577->4578 4579 7ff7cdb07ea4 4578->4579 4580 7ff7cdb07fd0 32 API calls 4579->4580 4581 7ff7cdb07ece 4580->4581 4582 7ff7cdb07f30 32 API calls 4581->4582 4583 7ff7cdb07f2c 4582->4583 4585 7ff7cdae9c9a 4584->4585 4587 7ff7cdae9c43 4584->4587 4585->4556 4586 7ff7cdae9c68 BCryptGenRandom 4586->4587 4588 7ff7cdae9c8c SystemFunction036 4586->4588 4587->4585 4587->4586 4588->4585 4588->4587 4597 7ff7cdb04970 4589->4597 4600 7ff7cdb04900 4594->4600 4598 7ff7cdb07f30 32 API calls 4597->4598 4599 7ff7cdb049de 4598->4599 4601 7ff7cdb07f30 32 API calls 4600->4601 4602 7ff7cdb0496e 4601->4602 4604 7ff7cdaeefcd 4603->4604 4605 7ff7cdaef058 4603->4605 4604->4605 4610 7ff7cdaeeff4 4604->4610 4606 7ff7cdb07e13 32 API calls 4605->4606 4607 7ff7cdaef03e 4606->4607 4608 7ff7cdb07e13 32 API calls 4607->4608 4612 7ff7cdaef044 4607->4612 4609 7ff7cdaef072 4608->4609 4610->4607 4618 7ff7cdb06b10 4610->4618 4612->4569 4614 7ff7cdaf17d7 4613->4614 4615 7ff7cdb07f30 32 API calls 4614->4615 4616 7ff7cdaf17e6 4614->4616 4617 7ff7cdaf188a 4615->4617 4616->4572 4617->4572 4619 7ff7cdb06b2d 4618->4619 4620 7ff7cdb06b46 4618->4620 4619->4620 4621 7ff7cdb06b44 RtlReAllocateHeap 4619->4621 4620->4607 4621->4620 4628 7ff7cdaf3b20 4622->4628 4624 7ff7cdaf499e 4625 7ff7cdaf4a69 4624->4625 4626 7ff7cdb07e30 32 API calls 4624->4626 4625->4575 4627 7ff7cdaf4aa0 4626->4627 4627->4575 4639 7ff7cdaf4cf0 4628->4639 4630 7ff7cdaf3b2f 4632 7ff7cdaf3b73 4630->4632 4645 7ff7cdaf1ba0 4630->4645 4637 7ff7cdaf3b84 4632->4637 4653 7ff7cdaf2950 4632->4653 4638 7ff7cdaf3c2e 4637->4638 4656 7ff7cdaf3e80 4637->4656 4638->4624 4641 7ff7cdaf4d13 4639->4641 4640 7ff7cdaf4d62 4642 7ff7cdaf4e66 32 API calls 4640->4642 4641->4640 4672 7ff7cdaf4e66 4641->4672 4644 7ff7cdaf4d99 4642->4644 4644->4630 4646 7ff7cdaf1bf0 4645->4646 4648 7ff7cdaf1bc9 4645->4648 4647 7ff7cdb07e13 32 API calls 4646->4647 4649 7ff7cdaf1d2c 4647->4649 4648->4646 4651 7ff7cdaf1bf5 4648->4651 4649->4632 4650 7ff7cdaf1cf4 4650->4632 4651->4650 4652 7ff7cdaf3d60 32 API calls 4651->4652 4652->4651 4820 7ff7cdaf6b30 4653->4820 4655 7ff7cdaf2971 4658 7ff7cdaf3ea6 4656->4658 4657 7ff7cdaf3fc5 4657->4638 4658->4657 4659 7ff7cdaf4019 4658->4659 4661 7ff7cdaf4028 4658->4661 4669 7ff7cdaf3fb3 4658->4669 4660 7ff7cdb08310 32 API calls 4659->4660 4660->4661 4662 7ff7cdb08300 32 API calls 4661->4662 4663 7ff7cdaf403a 4662->4663 4664 7ff7cdaf4065 4663->4664 4665 7ff7cdaf4128 4663->4665 4667 7ff7cdaf17a0 32 API calls 4664->4667 4666 7ff7cdb07f30 32 API calls 4665->4666 4668 7ff7cdaf417a 4666->4668 4670 7ff7cdaf40be 4667->4670 4668->4638 4671 7ff7cdb082f0 32 API calls 4669->4671 4670->4638 4671->4657 4674 7ff7cdaf4ea1 4672->4674 4673 7ff7cdaf4f8b 4675 7ff7cdaf5015 4673->4675 4676 7ff7cdaf4f93 4673->4676 4674->4673 4678 7ff7cdaf4ecf 4674->4678 4691 7ff7cdb07320 4674->4691 4677 7ff7cdaf17a0 32 API calls 4675->4677 4680 7ff7cdaf17a0 32 API calls 4676->4680 4682 7ff7cdaf500f 4677->4682 4683 7ff7cdaf4f13 4678->4683 4699 7ff7cdaf4494 4678->4699 4680->4682 4685 7ff7cdaf17a0 32 API calls 4682->4685 4717 7ff7cdaee350 4683->4717 4687 7ff7cdaf50bd 4685->4687 4686 7ff7cdaf4f5e 4686->4682 4730 7ff7cdaf5110 4686->4730 4689 7ff7cdaee350 32 API calls 4687->4689 4690 7ff7cdaf50f4 4689->4690 4690->4640 4698 7ff7cdb0733c 4691->4698 4692 7ff7cdb074c0 4692->4678 4693 7ff7cdb074cb 4694 7ff7cdb07f30 30 API calls 4693->4694 4696 7ff7cdb074fd 4694->4696 4695 7ff7cdb07462 WaitOnAddress 4697 7ff7cdb07484 GetLastError 4695->4697 4695->4698 4697->4698 4698->4692 4698->4693 4698->4695 4700 7ff7cdaf44be 4699->4700 4702 7ff7cdaf44b8 4699->4702 4700->4702 4742 7ff7cdaf1d80 4700->4742 4704 7ff7cdaf46d4 4702->4704 4746 7ff7cdaf0d50 4702->4746 4704->4683 4705 7ff7cdaf45b1 4706 7ff7cdaf45d5 4705->4706 4707 7ff7cdaf4649 4705->4707 4710 7ff7cdaf45ec 4706->4710 4753 7ff7cdb07040 4706->4753 4708 7ff7cdaf47a5 2 API calls 4707->4708 4716 7ff7cdaf463a 4708->4716 4750 7ff7cdaf47a5 4710->4750 4716->4683 4718 7ff7cdaee36c 4717->4718 4719 7ff7cdaee36a 4717->4719 4720 7ff7cdb076d9 4718->4720 4721 7ff7cdb07647 4718->4721 4719->4686 4783 7ff7cdb07fd0 4720->4783 4723 7ff7cdb0766f 4721->4723 4726 7ff7cdb0765a WakeByAddressSingle 4721->4726 4725 7ff7cdb07679 4723->4725 4727 7ff7cdb0768e 4723->4727 4728 7ff7cdb076a0 WakeByAddressSingle 4723->4728 4725->4727 4729 7ff7cdb076c4 WakeByAddressAll 4725->4729 4727->4686 4728->4727 4728->4729 4729->4727 4786 7ff7cdaf7f10 4730->4786 4733 7ff7cdaf17a0 32 API calls 4734 7ff7cdaf517e 4733->4734 4737 7ff7cdaf51bd 4734->4737 4738 7ff7cdaf5232 4734->4738 4735 7ff7cdaf5230 4735->4673 4736 7ff7cdafea8e 4736->4673 4737->4735 4802 7ff7cdb082f0 4737->4802 4738->4736 4805 7ff7cdb08260 4738->4805 4743 7ff7cdaf1d9c 4742->4743 4745 7ff7cdaf1db2 4742->4745 4758 7ff7cdaefbf0 4743->4758 4745->4702 4747 7ff7cdaf0d67 4746->4747 4749 7ff7cdaf0da4 4747->4749 4775 7ff7cdb07700 4747->4775 4749->4705 4779 7ff7cdaf3170 4750->4779 4752 7ff7cdaf47ce 4755 7ff7cdb07059 4753->4755 4754 7ff7cdb07080 4754->4710 4755->4754 4756 7ff7cdb070ac WaitOnAddress 4755->4756 4756->4755 4757 7ff7cdb070c9 GetLastError 4756->4757 4757->4755 4759 7ff7cdaf6610 27 API calls 4758->4759 4763 7ff7cdaefc22 4759->4763 4760 7ff7cdb06b90 27 API calls 4760->4763 4761 7ff7cdaefd78 SetLastError GetEnvironmentVariableW 4762 7ff7cdaefd99 GetLastError 4761->4762 4761->4763 4762->4763 4764 7ff7cdaefe99 GetLastError 4762->4764 4763->4760 4763->4761 4765 7ff7cdaefdb3 GetLastError 4763->4765 4767 7ff7cdaefe1e 4763->4767 4774 7ff7cdaefc32 4763->4774 4764->4774 4765->4763 4766 7ff7cdaeffa0 4765->4766 4768 7ff7cdb07fd0 27 API calls 4766->4768 4769 7ff7cdaeff89 4767->4769 4770 7ff7cdaefe27 4767->4770 4772 7ff7cdaeff9e 4768->4772 4771 7ff7cdb08300 27 API calls 4769->4771 4773 7ff7cdaf1ba0 27 API calls 4770->4773 4771->4772 4772->4745 4773->4774 4774->4745 4776 7ff7cdb07717 4775->4776 4777 7ff7cdaf7010 32 API calls 4776->4777 4778 7ff7cdb0776e 4776->4778 4777->4778 4778->4749 4780 7ff7cdaf31ad 4779->4780 4782 7ff7cdaf3188 4779->4782 4781 7ff7cdb07040 WaitOnAddress GetLastError 4780->4781 4781->4782 4782->4752 4784 7ff7cdb07f30 32 API calls 4783->4784 4785 7ff7cdb0800d 4784->4785 4787 7ff7cdaf7f1d 4786->4787 4788 7ff7cdaf5125 4787->4788 4808 7ff7cdaf4380 4787->4808 4788->4733 4817 7ff7cdb04890 4802->4817 4806 7ff7cdb07f30 32 API calls 4805->4806 4807 7ff7cdb082e0 4806->4807 4809 7ff7cdaf17a0 32 API calls 4808->4809 4810 7ff7cdaf43cc 4809->4810 4811 7ff7cdb080b8 32 API calls 4810->4811 4812 7ff7cdaf4403 4811->4812 4813 7ff7cdaf17a0 32 API calls 4812->4813 4814 7ff7cdaf445c 4813->4814 4815 7ff7cdb080b8 32 API calls 4814->4815 4816 7ff7cdaf4493 4815->4816 4818 7ff7cdb07f30 32 API calls 4817->4818 4819 7ff7cdb048fe 4818->4819 4822 7ff7cdaf6b46 4820->4822 4821 7ff7cdaf6dc3 4823 7ff7cdb082f0 32 API calls 4821->4823 4828 7ff7cdaf6ce6 4821->4828 4822->4821 4824 7ff7cdb08300 32 API calls 4822->4824 4827 7ff7cdaf6ccb 4822->4827 4822->4828 4823->4827 4824->4821 4825 7ff7cdb082f0 32 API calls 4826 7ff7cdaf6fbd 4825->4826 4826->4655 4827->4825 4827->4828 4828->4655 4830 7ff7cdb07f30 32 API calls 4829->4830 4831 7ff7cdafecd8 4830->4831 4832 7ff7cdae27e0 4837 7ff7cdad2640 4832->4837 4834 7ff7cdae2816 4849 7ff7cdad5ac0 4834->4849 4836 7ff7cdae282b 4900 7ff7cdadef00 4837->4900 4839 7ff7cdad2695 4840 7ff7cdad269f 4839->4840 4841 7ff7cdad2988 4839->4841 4938 7ff7cdafed90 4840->4938 4843 7ff7cdb08260 32 API calls 4841->4843 4845 7ff7cdad29c9 4843->4845 4844 7ff7cdad2794 memset 4846 7ff7cdad287a OutputDebugStringW 4844->4846 4848 7ff7cdad27d3 4844->4848 4845->4834 4847 7ff7cdad2890 4846->4847 4847->4834 4848->4846 4850 7ff7cdafed90 32 API calls 4849->4850 4851 7ff7cdad5b9c memset 4850->4851 4852 7ff7cdad5c7a OutputDebugStringW 4851->4852 4855 7ff7cdad5bd4 4851->4855 4853 7ff7cdad5c97 4852->4853 4951 7ff7cdad1e60 4853->4951 4855->4852 4856 7ff7cdad5cb4 4896 7ff7cdad5cc0 4856->4896 4981 7ff7cdadfa90 4856->4981 4858 7ff7cdad5d02 4859 7ff7cdad5d0f 4858->4859 4862 7ff7cdad5ddf 4858->4862 4860 7ff7cdafed90 32 API calls 4859->4860 4861 7ff7cdad5d7d memset 4860->4861 4863 7ff7cdad5f8a OutputDebugStringW 4861->4863 4865 7ff7cdad5dba 4861->4865 4864 7ff7cdafed90 32 API calls 4862->4864 4863->4896 4866 7ff7cdad5ea3 memset 4864->4866 4865->4863 4867 7ff7cdad608a OutputDebugStringW 4866->4867 4870 7ff7cdad5ed9 4866->4870 4868 7ff7cdad60a0 4867->4868 5027 7ff7cdad6d20 4868->5027 4870->4867 4872 7ff7cdad6185 memset OutputDebugStringW GetModuleHandleA 4875 7ff7cdad6272 4872->4875 4880 7ff7cdad6233 4872->4880 4873 7ff7cdad60c5 4874 7ff7cdafed90 32 API calls 4873->4874 4877 7ff7cdad612a memset 4874->4877 5057 7ff7cdae5780 GetLastError 4875->5057 4879 7ff7cdad632a OutputDebugStringW 4877->4879 4885 7ff7cdad6160 4877->4885 4879->4880 4880->4896 5037 7ff7cdad5500 4880->5037 4881 7ff7cdad636b 4882 7ff7cdad6375 4881->4882 4883 7ff7cdad6467 4881->4883 4887 7ff7cdad6388 VirtualQuery 4882->4887 4884 7ff7cdafed90 32 API calls 4883->4884 4886 7ff7cdad64a9 memset 4884->4886 4885->4879 4888 7ff7cdad66ca OutputDebugStringW 4886->4888 4895 7ff7cdad64e6 4886->4895 4889 7ff7cdad63a4 4887->4889 4890 7ff7cdad650b 4887->4890 4888->4896 4889->4890 4892 7ff7cdad63ae 4889->4892 4891 7ff7cdafed90 32 API calls 4890->4891 4893 7ff7cdad655b memset 4891->4893 4894 7ff7cdafed90 32 API calls 4892->4894 4893->4888 4893->4895 4897 7ff7cdad640c memset 4894->4897 4895->4888 4896->4836 4898 7ff7cdad67ba OutputDebugStringW 4897->4898 4899 7ff7cdad6442 4897->4899 4898->4896 4899->4898 4901 7ff7cdafed90 32 API calls 4900->4901 4902 7ff7cdadf04b memset 4901->4902 4903 7ff7cdadf13a OutputDebugStringW 4902->4903 4905 7ff7cdadf086 4902->4905 4904 7ff7cdadf15d 4903->4904 4907 7ff7cdadf1ba 4904->4907 4911 7ff7cdadf17f 4904->4911 4905->4903 4906 7ff7cdadf1a9 4945 7ff7cdae9d20 memset 4906->4945 4908 7ff7cdadf1d9 4907->4908 4910 7ff7cdb07e13 32 API calls 4907->4910 4908->4839 4914 7ff7cdadf8c1 4910->4914 4911->4906 4912 7ff7cdadf232 4911->4912 4915 7ff7cdadf250 memmove memmove 4912->4915 4913 7ff7cdadf1b5 4916 7ff7cdadf27d memmove 4913->4916 4917 7ff7cdb07e13 32 API calls 4914->4917 4915->4916 4916->4914 4919 7ff7cdadf2ae 4916->4919 4921 7ff7cdadf8dc 4917->4921 4918 7ff7cdadf8de 4920 7ff7cdb08300 32 API calls 4918->4920 4919->4914 4919->4918 4922 7ff7cdadf2d6 4919->4922 4920->4921 4921->4839 4922->4918 4923 7ff7cdadf2fc memmove memmove 4922->4923 4924 7ff7cdadf343 4923->4924 4925 7ff7cdadf352 memmove memset 4923->4925 4927 7ff7cdafed90 32 API calls 4924->4927 4926 7ff7cdadf3f3 4925->4926 4926->4924 4930 7ff7cdadf44e 4926->4930 4928 7ff7cdadf5e2 memset 4927->4928 4929 7ff7cdadf6da OutputDebugStringW 4928->4929 4932 7ff7cdadf624 4928->4932 4931 7ff7cdadf6f6 4929->4931 4933 7ff7cdafed90 32 API calls 4930->4933 4931->4908 4935 7ff7cdb08260 32 API calls 4931->4935 4932->4929 4934 7ff7cdadf508 memset 4933->4934 4936 7ff7cdadf84a OutputDebugStringW 4934->4936 4937 7ff7cdadf54a 4934->4937 4935->4921 4936->4908 4937->4936 4939 7ff7cdafedba 4938->4939 4940 7ff7cdafeea9 4939->4940 4941 7ff7cdb08260 32 API calls 4939->4941 4942 7ff7cdafee79 4939->4942 4940->4844 4941->4942 4943 7ff7cdb07e13 32 API calls 4942->4943 4944 7ff7cdafef05 4943->4944 4944->4844 4948 7ff7cdae9d87 4945->4948 4946 7ff7cdaec2c0 32 API calls 4946->4948 4947 7ff7cdae9eaf memmove 4947->4913 4948->4946 4948->4947 4950 7ff7cdaeb820 32 API calls 4948->4950 4950->4948 4952 7ff7cdad24c0 4951->4952 4953 7ff7cdad1eaa 4951->4953 5058 7ff7cdb07110 4952->5058 4955 7ff7cdad1ecd 4953->4955 4956 7ff7cdb07320 32 API calls 4953->4956 4957 7ff7cdad2528 4955->4957 4963 7ff7cdad1eda 4955->4963 4956->4955 4959 7ff7cdb08260 32 API calls 4957->4959 4958 7ff7cdad209b 4961 7ff7cdafed90 32 API calls 4958->4961 4960 7ff7cdad255c 4959->4960 4965 7ff7cdad25c4 4960->4965 4968 7ff7cdb07630 35 API calls 4960->4968 4962 7ff7cdad20f5 memset 4961->4962 4964 7ff7cdad234a OutputDebugStringW 4962->4964 4971 7ff7cdad213b 4962->4971 4963->4958 4966 7ff7cdad2160 4963->4966 4969 7ff7cdad2360 4964->4969 4965->4856 4967 7ff7cdafed90 32 API calls 4966->4967 4970 7ff7cdad2257 memset 4967->4970 4968->4965 4972 7ff7cdad24ae 4969->4972 5066 7ff7cdb07630 4969->5066 4973 7ff7cdad240a OutputDebugStringW 4970->4973 4977 7ff7cdad229d 4970->4977 4971->4964 4972->4856 4980 7ff7cdad2420 4973->4980 4975 7ff7cdad256b 4979 7ff7cdb07e13 32 API calls 4975->4979 4976 7ff7cdad246e memmove 4976->4969 4977->4973 4979->4960 4980->4975 4980->4976 4982 7ff7cdafed90 32 API calls 4981->4982 4983 7ff7cdadfbd1 memset 4982->4983 4984 7ff7cdadfcba OutputDebugStringW 4983->4984 4986 7ff7cdadfc0c 4983->4986 4985 7ff7cdadfcdd 4984->4985 4987 7ff7cdadfd07 4985->4987 4990 7ff7cdadfdff 4985->4990 4986->4984 4988 7ff7cdafed90 32 API calls 4987->4988 4989 7ff7cdadfd9c memset 4988->4989 4991 7ff7cdadfdde 4989->4991 4992 7ff7cdadfeea OutputDebugStringW 4989->4992 4993 7ff7cdb07e13 32 API calls 4990->4993 5025 7ff7cdadfe1e 4990->5025 4991->4992 4996 7ff7cdadff06 4992->4996 4994 7ff7cdae05ef 4993->4994 4998 7ff7cdb07e13 32 API calls 4994->4998 4995 7ff7cdadff2b 4999 7ff7cdb080d2 32 API calls 4995->4999 5000 7ff7cdadff46 4995->5000 4996->4995 5082 7ff7cdb080d2 4996->5082 5001 7ff7cdae060b 4998->5001 4999->5000 5002 7ff7cdadff69 5000->5002 5004 7ff7cdadfff3 5000->5004 5001->4858 5003 7ff7cdae9d20 34 API calls 5002->5003 5005 7ff7cdadff75 5003->5005 5006 7ff7cdae0011 memmove memmove 5004->5006 5007 7ff7cdae003e memmove 5005->5007 5006->5007 5007->4994 5012 7ff7cdae0070 5007->5012 5008 7ff7cdae009c memmove memmove 5010 7ff7cdae0172 5008->5010 5011 7ff7cdae00e9 5008->5011 5014 7ff7cdafed90 32 API calls 5010->5014 5077 7ff7cdae4e30 5011->5077 5012->4994 5012->5008 5015 7ff7cdae01e1 memset 5014->5015 5016 7ff7cdae02da OutputDebugStringW 5015->5016 5019 7ff7cdae0223 5015->5019 5017 7ff7cdae02f6 5016->5017 5022 7ff7cdb08260 32 API calls 5017->5022 5017->5025 5018 7ff7cdae0129 5018->5010 5020 7ff7cdae03ca 5018->5020 5019->5016 5021 7ff7cdafed90 32 API calls 5020->5021 5023 7ff7cdae0494 memset 5021->5023 5022->5001 5024 7ff7cdae058a OutputDebugStringW 5023->5024 5026 7ff7cdae04d6 5023->5026 5024->5025 5025->4858 5026->5024 5028 7ff7cdad6d57 5027->5028 5029 7ff7cdad6fa1 5027->5029 5031 7ff7cdb07040 2 API calls 5028->5031 5033 7ff7cdad6d69 5028->5033 5030 7ff7cdb07110 3 API calls 5029->5030 5030->5033 5031->5029 5032 7ff7cdb08260 32 API calls 5036 7ff7cdad6d8d 5032->5036 5033->5032 5033->5036 5034 7ff7cdad60bb 5034->4872 5034->4873 5036->5034 5097 7ff7cdb07100 WakeByAddressSingle 5036->5097 5038 7ff7cdad5523 5037->5038 5039 7ff7cdad55c1 memset 5037->5039 5040 7ff7cdad560f 5038->5040 5043 7ff7cdad554f memset 5038->5043 5041 7ff7cdad59bc OutputDebugStringW 5039->5041 5044 7ff7cdafed90 32 API calls 5040->5044 5042 7ff7cdad59ca 5041->5042 5042->4881 5043->5041 5045 7ff7cdad569d memset 5044->5045 5046 7ff7cdad578a OutputDebugStringW 5045->5046 5048 7ff7cdad56d5 5045->5048 5050 7ff7cdad57ac 5046->5050 5047 7ff7cdad5958 memset 5047->5041 5048->5046 5049 7ff7cdad57fc strlen 5049->5050 5050->5047 5050->5049 5051 7ff7cdad5854 memcmp 5050->5051 5051->5050 5052 7ff7cdad5865 5051->5052 5053 7ff7cdafed90 32 API calls 5052->5053 5054 7ff7cdad58fb memset 5053->5054 5055 7ff7cdad5a7a OutputDebugStringW 5054->5055 5056 7ff7cdad5933 5054->5056 5055->5042 5056->5055 5057->4880 5059 7ff7cdb07204 5058->5059 5062 7ff7cdb0713d 5058->5062 5060 7ff7cdb071be 5061 7ff7cdb071f2 5060->5061 5065 7ff7cdb071ec WakeByAddressAll 5060->5065 5061->4953 5062->5060 5062->5061 5063 7ff7cdb07195 WaitOnAddress 5062->5063 5063->5062 5064 7ff7cdb071b2 GetLastError 5063->5064 5064->5062 5065->5061 5067 7ff7cdb076d9 5066->5067 5068 7ff7cdb07647 5066->5068 5069 7ff7cdb07fd0 32 API calls 5067->5069 5070 7ff7cdb0766f 5068->5070 5072 7ff7cdb0765a WakeByAddressSingle 5068->5072 5071 7ff7cdb076f1 5069->5071 5073 7ff7cdb07679 5070->5073 5074 7ff7cdb076a0 WakeByAddressSingle 5070->5074 5076 7ff7cdb0768e 5070->5076 5075 7ff7cdb076c4 WakeByAddressAll 5073->5075 5073->5076 5074->5075 5074->5076 5075->5076 5076->4972 5078 7ff7cdae4e8f 5077->5078 5079 7ff7cdae4e64 5077->5079 5080 7ff7cdae4f05 5078->5080 5085 7ff7cdaea670 5078->5085 5079->5018 5080->5018 5093 7ff7cdb08110 5082->5093 5087 7ff7cdaea6d1 5085->5087 5086 7ff7cdaeab31 5086->5078 5087->5086 5088 7ff7cdaeab9c 5087->5088 5091 7ff7cdaeab1b 5087->5091 5089 7ff7cdb08310 32 API calls 5088->5089 5090 7ff7cdaeabab 5089->5090 5092 7ff7cdb08310 32 API calls 5091->5092 5092->5086 5094 7ff7cdb08142 5093->5094 5095 7ff7cdb07f30 32 API calls 5094->5095 5096 7ff7cdb08259 5095->5096 5432 7ff7cdad1520 5433 7ff7cdad1c4e 5432->5433 5434 7ff7cdad156a 5432->5434 5435 7ff7cdb07110 3 API calls 5433->5435 5436 7ff7cdad1580 5434->5436 5437 7ff7cdad1c3a 5434->5437 5435->5436 5439 7ff7cdad15a5 5436->5439 5440 7ff7cdad1c9c 5436->5440 5459 7ff7cdb07500 5437->5459 5444 7ff7cdad1d26 5439->5444 5454 7ff7cdad15cb 5439->5454 5441 7ff7cdb08260 32 API calls 5440->5441 5442 7ff7cdad1ccb 5441->5442 5464 7ff7cdae3460 5442->5464 5443 7ff7cdb07630 35 API calls 5447 7ff7cdad1c26 5443->5447 5445 7ff7cdb07e30 32 API calls 5444->5445 5445->5442 5448 7ff7cdad1d65 5449 7ff7cdadef00 47 API calls 5449->5454 5450 7ff7cdad1ce9 5452 7ff7cdb08260 32 API calls 5450->5452 5451 7ff7cdad1bdc 5451->5443 5451->5447 5452->5442 5454->5449 5454->5450 5454->5451 5455 7ff7cdae3b50 5454->5455 5456 7ff7cdae3e01 5455->5456 5458 7ff7cdae3b88 5455->5458 5477 7ff7cdb06000 5456->5477 5458->5454 5463 7ff7cdb07529 5459->5463 5460 7ff7cdb0761d 5460->5451 5461 7ff7cdb075b6 WaitOnAddress 5462 7ff7cdb075d3 GetLastError 5461->5462 5461->5463 5462->5463 5463->5460 5463->5461 5465 7ff7cdae3471 5464->5465 5466 7ff7cdae349a 5465->5466 5467 7ff7cdb076d9 5465->5467 5468 7ff7cdb07647 5465->5468 5466->5448 5469 7ff7cdb07fd0 32 API calls 5467->5469 5470 7ff7cdb0766f 5468->5470 5473 7ff7cdb0765a WakeByAddressSingle 5468->5473 5471 7ff7cdb076f1 5469->5471 5472 7ff7cdb07679 5470->5472 5474 7ff7cdb0768e 5470->5474 5475 7ff7cdb076a0 WakeByAddressSingle 5470->5475 5472->5474 5476 7ff7cdb076c4 WakeByAddressAll 5472->5476 5474->5448 5475->5474 5475->5476 5476->5474 5478 7ff7cdb06126 5477->5478 5479 7ff7cdb0602c 5477->5479 5480 7ff7cdafebc0 32 API calls 5478->5480 5481 7ff7cdb0607b 5479->5481 5483 7ff7cdb06055 5479->5483 5488 7ff7cdb0609e 5480->5488 5482 7ff7cdae0ce0 memmove 5481->5482 5482->5488 5483->5478 5484 7ff7cdb06132 5483->5484 5485 7ff7cdb063e1 5484->5485 5486 7ff7cdb0615c memset 5484->5486 5487 7ff7cdafec10 32 API calls 5485->5487 5486->5488 5487->5488 5488->5458 5488->5488 5723 7ff7cdad1000 5724 7ff7cdad10a2 5723->5724 5728 7ff7cdad101c 5723->5728 5725 7ff7cdb07eb0 32 API calls 5724->5725 5726 7ff7cdad10ae 5725->5726 5729 7ff7cdad1158 5726->5729 5732 7ff7cdad10cc 5726->5732 5727 7ff7cdad102c 5728->5727 5736 7ff7cdaf3d30 ProcessPrng 5728->5736 5730 7ff7cdb07eb0 32 API calls 5729->5730 5735 7ff7cdad1164 5730->5735 5734 7ff7cdad10dc 5732->5734 5737 7ff7cdaf3d30 ProcessPrng 5732->5737 5736->5727 5737->5734 5778 7ff7cdad7060 5779 7ff7cdad11e0 WakeByAddressSingle 5778->5779 5780 7ff7cdad7082 5779->5780 5781 7ff7cdad25e0 5782 7ff7cdad2626 5781->5782 5783 7ff7cdad2617 5781->5783 5784 7ff7cdb07630 35 API calls 5782->5784 5784->5783 5738 7ff7cdaffb40 5740 7ff7cdaffb7e 5738->5740 5739 7ff7cdaffbc8 5740->5739 5742 7ff7cdaffc0a memmove 5740->5742 5743 7ff7cdaffd28 5740->5743 5748 7ff7cdaffd59 5740->5748 5741 7ff7cdb07e13 32 API calls 5744 7ff7cdaffd7a 5741->5744 5745 7ff7cdaffd36 5742->5745 5751 7ff7cdaffc2f 5742->5751 5746 7ff7cdb07d70 32 API calls 5743->5746 5747 7ff7cdb07d70 32 API calls 5745->5747 5746->5745 5747->5748 5748->5741 5749 7ff7cdaffc8c memmove 5749->5751 5750 7ff7cdb07d70 32 API calls 5750->5751 5751->5739 5751->5749 5751->5750 5785 7ff7cdb05220 5788 7ff7cdb0550c 5785->5788 5789 7ff7cdb05229 5788->5789 5790 7ff7cdb0552f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5788->5790 5790->5789

                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                        Function 00007FF7CDAD2A50 Relevance: 57.5, APIs: 30, Strings: 2, Instructions: 1510COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • LdrLoadDllEtwEventWriteFullEtwEventWriteEtwEventWriteTransferWDEnableMpWDEnableMpScanStartMpSampleSubmitMpAmsiNotifyMpSampleQueryMpAmsiScanMpThreatActionNtResumeThreadNtGetContextThreadNtSetContextThreadNtCloseNtCreateThreadExNtCreateProcessExNtQueryInformatio, xrefs: 00007FF7CDAD384F
                                                                                                                                                                                        • KO_S, xrefs: 00007FF7CDAD3045
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputString$memset$ErrorHandleLastModulememmove
                                                                                                                                                                                        • String ID: KO_S$LdrLoadDllEtwEventWriteFullEtwEventWriteEtwEventWriteTransferWDEnableMpWDEnableMpScanStartMpSampleSubmitMpAmsiNotifyMpSampleQueryMpAmsiScanMpThreatActionNtResumeThreadNtGetContextThreadNtSetContextThreadNtCloseNtCreateThreadExNtCreateProcessExNtQueryInformatio
                                                                                                                                                                                        • API String ID: 3561296225-1350649164
                                                                                                                                                                                        • Opcode ID: cec30894ef4ac94984ac6fd4a260fd1dd67f1f0602c51c73ba310177245b14ee
                                                                                                                                                                                        • Instruction ID: 90ad2ee8bf9b9b39c0c28a824732df4ddacf609ba7b52b7a7d57300aecc1b71f
                                                                                                                                                                                        • Opcode Fuzzy Hash: cec30894ef4ac94984ac6fd4a260fd1dd67f1f0602c51c73ba310177245b14ee
                                                                                                                                                                                        • Instruction Fuzzy Hash: FCE2B172B19BD188EB319F20D854BED6360FB45798F80413ADA6D4BB9AEF78D644C310
                                                                                                                                                                                        Function 00007FF7CDAD5AC0 Relevance: 32.2, APIs: 17, Strings: 1, Instructions: 737COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 292 7ff7cdad5ac0-7ff7cdad5bce call 7ff7cdafed90 memset 295 7ff7cdad5bd4-7ff7cdad5be6 292->295 296 7ff7cdad5c7a-7ff7cdad5c95 OutputDebugStringW 292->296 299 7ff7cdad5bf2-7ff7cdad5c1e 295->299 300 7ff7cdad5be8-7ff7cdad5bf0 295->300 297 7ff7cdad5ca5-7ff7cdad5cbe call 7ff7cdad1e60 296->297 298 7ff7cdad5c97-7ff7cdad5ca0 call 7ff7cdae55a0 296->298 308 7ff7cdad5cc0-7ff7cdad5cc2 297->308 309 7ff7cdad5cc7-7ff7cdad5d09 call 7ff7cdadfa90 297->309 298->297 304 7ff7cdad5c20-7ff7cdad5c4a 299->304 303 7ff7cdad5c4c-7ff7cdad5c5d 300->303 305 7ff7cdad5c60-7ff7cdad5c67 303->305 304->303 304->304 305->296 307 7ff7cdad5c69-7ff7cdad5c78 305->307 307->296 307->305 310 7ff7cdad5ff1-7ff7cdad6007 308->310 313 7ff7cdad5ddf-7ff7cdad5e12 call 7ff7cdb02730 309->313 314 7ff7cdad5d0f-7ff7cdad5db4 call 7ff7cdafed90 memset 309->314 319 7ff7cdad5e34-7ff7cdad5e3e 313->319 320 7ff7cdad5e14-7ff7cdad5e28 313->320 321 7ff7cdad5f8a-7ff7cdad5f9e OutputDebugStringW 314->321 322 7ff7cdad5dba-7ff7cdad5dcc 314->322 329 7ff7cdad5e45-7ff7cdad5e53 319->329 327 7ff7cdad623b-7ff7cdad625c 320->327 328 7ff7cdad5e2e-7ff7cdad5e32 320->328 325 7ff7cdad5fa0-7ff7cdad5fac call 7ff7cdae55a0 321->325 326 7ff7cdad5fb1-7ff7cdad5fbb 321->326 323 7ff7cdad5dd2-7ff7cdad5dda 322->323 324 7ff7cdad5efe-7ff7cdad5f2e 322->324 330 7ff7cdad5f5c-7ff7cdad5f6d 323->330 336 7ff7cdad5f30-7ff7cdad5f5a 324->336 325->326 334 7ff7cdad5fcf 326->334 335 7ff7cdad5fbd-7ff7cdad5fca call 7ff7cdae55a0 326->335 331 7ff7cdad6262-7ff7cdad626d call 7ff7cdae55a0 327->331 332 7ff7cdad5e5a-7ff7cdad5ed3 call 7ff7cdafed90 memset 327->332 328->329 329->332 337 7ff7cdad5f70-7ff7cdad5f77 330->337 331->332 346 7ff7cdad5ed9-7ff7cdad5eeb 332->346 347 7ff7cdad608a-7ff7cdad609e OutputDebugStringW 332->347 341 7ff7cdad5fd1-7ff7cdad5fd4 334->341 335->334 336->330 336->336 337->321 342 7ff7cdad5f79-7ff7cdad5f88 337->342 341->310 345 7ff7cdad5fd6-7ff7cdad5fee call 7ff7cdae55a0 341->345 342->321 342->337 345->310 351 7ff7cdad5ef1-7ff7cdad5ef9 346->351 352 7ff7cdad6008-7ff7cdad602b 346->352 349 7ff7cdad60a0-7ff7cdad60ac call 7ff7cdae55a0 347->349 350 7ff7cdad60b1-7ff7cdad60bf call 7ff7cdad6d20 347->350 349->350 361 7ff7cdad6185-7ff7cdad6231 memset OutputDebugStringW GetModuleHandleA 350->361 362 7ff7cdad60c5-7ff7cdad615a call 7ff7cdafed90 memset 350->362 356 7ff7cdad605c-7ff7cdad606d 351->356 357 7ff7cdad6030-7ff7cdad605a 352->357 358 7ff7cdad6070-7ff7cdad6077 356->358 357->356 357->357 358->347 360 7ff7cdad6079-7ff7cdad6088 358->360 360->347 360->358 364 7ff7cdad6233-7ff7cdad6236 361->364 365 7ff7cdad6272-7ff7cdad6283 call 7ff7cdae5780 361->365 371 7ff7cdad6160-7ff7cdad6172 362->371 372 7ff7cdad632a-7ff7cdad633e OutputDebugStringW 362->372 366 7ff7cdad6358-7ff7cdad636f call 7ff7cdad5500 364->366 365->366 376 7ff7cdad6289-7ff7cdad628c 365->376 380 7ff7cdad6375-7ff7cdad639e call 7ff7cdae5650 VirtualQuery 366->380 381 7ff7cdad6467-7ff7cdad64e0 call 7ff7cdafed90 memset 366->381 377 7ff7cdad62a5-7ff7cdad62c8 371->377 378 7ff7cdad6178-7ff7cdad6180 371->378 373 7ff7cdad6340-7ff7cdad634c call 7ff7cdae55a0 372->373 374 7ff7cdad6351 372->374 373->374 374->366 382 7ff7cdad628e-7ff7cdad6292 call 7ff7cdae67b0 376->382 383 7ff7cdad6297-7ff7cdad62a0 376->383 384 7ff7cdad62d0-7ff7cdad62fa 377->384 385 7ff7cdad62fc-7ff7cdad630d 378->385 397 7ff7cdad63a4-7ff7cdad63a8 380->397 398 7ff7cdad650b-7ff7cdad6592 call 7ff7cdafed90 memset 380->398 395 7ff7cdad64e6-7ff7cdad64f8 381->395 396 7ff7cdad66ca-7ff7cdad66de OutputDebugStringW 381->396 382->383 389 7ff7cdad67f4-7ff7cdad67fe 383->389 384->384 384->385 390 7ff7cdad6310-7ff7cdad6317 385->390 389->341 393 7ff7cdad6804-7ff7cdad681c call 7ff7cdae55a0 389->393 390->372 394 7ff7cdad6319-7ff7cdad6328 390->394 393->341 394->372 394->390 400 7ff7cdad65bd-7ff7cdad65dc 395->400 401 7ff7cdad64fe-7ff7cdad6506 395->401 402 7ff7cdad66e0-7ff7cdad66ec call 7ff7cdae55a0 396->402 403 7ff7cdad66f1-7ff7cdad66fb 396->403 397->398 405 7ff7cdad63ae-7ff7cdad643c call 7ff7cdafed90 memset 397->405 398->396 414 7ff7cdad6598-7ff7cdad65aa 398->414 412 7ff7cdad65e0-7ff7cdad660a 400->412 407 7ff7cdad660c-7ff7cdad661d 401->407 402->403 410 7ff7cdad670f-7ff7cdad6712 403->410 411 7ff7cdad66fd-7ff7cdad670a call 7ff7cdae55a0 403->411 423 7ff7cdad6442-7ff7cdad6454 405->423 424 7ff7cdad67ba-7ff7cdad67d5 OutputDebugStringW 405->424 417 7ff7cdad6620-7ff7cdad6627 407->417 410->308 416 7ff7cdad6718-7ff7cdad672d call 7ff7cdae55a0 410->416 411->410 412->407 412->412 419 7ff7cdad6643-7ff7cdad6666 414->419 420 7ff7cdad65b0-7ff7cdad65b8 414->420 416->308 417->396 422 7ff7cdad662d-7ff7cdad663c 417->422 425 7ff7cdad6670-7ff7cdad669a 419->425 428 7ff7cdad669c-7ff7cdad66ad 420->428 422->417 430 7ff7cdad663e 422->430 431 7ff7cdad6732-7ff7cdad675e 423->431 432 7ff7cdad645a-7ff7cdad6462 423->432 426 7ff7cdad67d7-7ff7cdad67e3 call 7ff7cdae55a0 424->426 427 7ff7cdad67e8-7ff7cdad67ef 424->427 425->425 425->428 426->427 427->389 435 7ff7cdad66b0-7ff7cdad66b7 428->435 430->396 433 7ff7cdad6760-7ff7cdad678a 431->433 434 7ff7cdad678c-7ff7cdad679d 432->434 433->433 433->434 437 7ff7cdad67a0-7ff7cdad67a7 434->437 435->396 438 7ff7cdad66b9-7ff7cdad66c8 435->438 437->424 439 7ff7cdad67a9-7ff7cdad67b8 437->439 438->396 438->435 439->424 439->437
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memset$DebugOutputString$HandleModuleQueryVirtual
                                                                                                                                                                                        • String ID: ntdll.dll
                                                                                                                                                                                        • API String ID: 3283594973-2227199552
                                                                                                                                                                                        • Opcode ID: 140f2ee9e839133e6177cb0feefefdcfcdc6100d825a8f6b9f6a943a781eb85c
                                                                                                                                                                                        • Instruction ID: 13be8725c25b9d1c6f6449a7ebad308ba2759789b4c334ce1930f931d5dec4b7
                                                                                                                                                                                        • Opcode Fuzzy Hash: 140f2ee9e839133e6177cb0feefefdcfcdc6100d825a8f6b9f6a943a781eb85c
                                                                                                                                                                                        • Instruction Fuzzy Hash: D472B132B18BC689EB219F20D854BEC63A1FB45798F844236DA5D47FA9EF38D644C350
                                                                                                                                                                                        Function 00007FF7CDADFA90 Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 603COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 440 7ff7cdadfa90-7ff7cdadfc06 call 7ff7cdafed90 memset 443 7ff7cdadfc0c-7ff7cdadfc1e 440->443 444 7ff7cdadfcba-7ff7cdadfcdb OutputDebugStringW 440->444 447 7ff7cdadfc20-7ff7cdadfc28 443->447 448 7ff7cdadfc2a-7ff7cdadfc4d 443->448 445 7ff7cdadfceb-7ff7cdadfcf3 444->445 446 7ff7cdadfcdd-7ff7cdadfce6 call 7ff7cdae55a0 444->446 450 7ff7cdadfdff-7ff7cdadfe18 call 7ff7cdae5590 445->450 451 7ff7cdadfcf9-7ff7cdadfd01 445->451 446->445 452 7ff7cdadfc82-7ff7cdadfc9e 447->452 453 7ff7cdadfc50-7ff7cdadfc80 448->453 461 7ff7cdadfe1e-7ff7cdadfe4e 450->461 462 7ff7cdae05d9-7ff7cdae05ea call 7ff7cdb07e13 450->462 451->450 455 7ff7cdadfd07-7ff7cdadfdd8 call 7ff7cdafed90 memset 451->455 454 7ff7cdadfca0-7ff7cdadfca7 452->454 453->452 453->453 454->444 457 7ff7cdadfca9-7ff7cdadfcb8 454->457 464 7ff7cdadfdde-7ff7cdadfdf0 455->464 465 7ff7cdadfeea-7ff7cdadff04 OutputDebugStringW 455->465 457->444 457->454 463 7ff7cdae03b3-7ff7cdae03c9 461->463 467 7ff7cdae05ef 462->467 470 7ff7cdadfe53-7ff7cdadfe76 464->470 471 7ff7cdadfdf2-7ff7cdadfdfa 464->471 468 7ff7cdadff06-7ff7cdadff12 call 7ff7cdae55a0 465->468 469 7ff7cdadff17-7ff7cdadff29 465->469 472 7ff7cdae05f2-7ff7cdae060b call 7ff7cdb07e13 467->472 468->469 475 7ff7cdadff2b-7ff7cdadff44 469->475 476 7ff7cdadff7a-7ff7cdadffa8 call 7ff7cdb080d2 469->476 473 7ff7cdadfe80-7ff7cdadfeb0 470->473 477 7ff7cdadfeb2-7ff7cdadfece 471->477 489 7ff7cdae0638-7ff7cdae0676 472->489 473->473 473->477 481 7ff7cdadff46-7ff7cdadff59 475->481 482 7ff7cdadffad-7ff7cdadffdb call 7ff7cdb080d2 475->482 476->482 480 7ff7cdadfed0-7ff7cdadfed7 477->480 480->465 485 7ff7cdadfed9-7ff7cdadfee8 480->485 486 7ff7cdadfff3-7ff7cdae0039 call 7ff7cdaed170 call 7ff7cdadebf0 memmove * 2 481->486 487 7ff7cdadff5f-7ff7cdadff67 481->487 488 7ff7cdadffe0-7ff7cdadffed call 7ff7cdb069c0 482->488 485->465 485->480 499 7ff7cdae003e-7ff7cdae006a memmove 486->499 487->488 491 7ff7cdadff69-7ff7cdadff75 call 7ff7cdae9d20 487->491 488->486 488->491 491->499 499->467 500 7ff7cdae0070-7ff7cdae0077 499->500 501 7ff7cdae00a1 500->501 502 7ff7cdae0079-7ff7cdae0096 call 7ff7cdae5590 500->502 503 7ff7cdae00a7-7ff7cdae00e3 memmove * 2 501->503 502->472 508 7ff7cdae009c-7ff7cdae009f 502->508 505 7ff7cdae0172-7ff7cdae021d call 7ff7cdafed90 memset 503->505 506 7ff7cdae00e9-7ff7cdae012d call 7ff7cdae4e30 503->506 514 7ff7cdae0223-7ff7cdae0235 505->514 515 7ff7cdae02da-7ff7cdae02f4 OutputDebugStringW 505->515 506->505 513 7ff7cdae012f-7ff7cdae0143 506->513 508->503 513->505 518 7ff7cdae0145-7ff7cdae015e 513->518 519 7ff7cdae0241-7ff7cdae0264 514->519 520 7ff7cdae0237-7ff7cdae023f 514->520 516 7ff7cdae02f6-7ff7cdae0302 call 7ff7cdae55a0 515->516 517 7ff7cdae0307-7ff7cdae037a call 7ff7cdaed720 515->517 516->517 531 7ff7cdae0380-7ff7cdae03a0 517->531 532 7ff7cdae060d-7ff7cdae0633 call 7ff7cdb08260 517->532 524 7ff7cdae0160-7ff7cdae0163 518->524 521 7ff7cdae0270-7ff7cdae02a0 519->521 525 7ff7cdae02a2-7ff7cdae02be 520->525 521->521 521->525 528 7ff7cdae03ca-7ff7cdae03da 524->528 529 7ff7cdae0169-7ff7cdae0170 524->529 526 7ff7cdae02c0-7ff7cdae02c7 525->526 526->515 530 7ff7cdae02c9-7ff7cdae02d8 526->530 533 7ff7cdae03e3-7ff7cdae04d0 call 7ff7cdafed90 memset 528->533 534 7ff7cdae03dc 528->534 529->505 529->524 530->515 530->526 531->463 537 7ff7cdae03a2-7ff7cdae03ae call 7ff7cdae55a0 531->537 532->489 540 7ff7cdae04d6-7ff7cdae04e8 533->540 541 7ff7cdae058a-7ff7cdae05a4 OutputDebugStringW 533->541 534->533 537->463 542 7ff7cdae04f4-7ff7cdae0517 540->542 543 7ff7cdae04ea-7ff7cdae04f2 540->543 544 7ff7cdae05a6-7ff7cdae05b2 call 7ff7cdae55a0 541->544 545 7ff7cdae05b7-7ff7cdae05d4 541->545 547 7ff7cdae0520-7ff7cdae0550 542->547 546 7ff7cdae0552-7ff7cdae056e 543->546 544->545 545->463 549 7ff7cdae0570-7ff7cdae0577 546->549 547->546 547->547 549->541 550 7ff7cdae0579-7ff7cdae0588 549->550 550->541 550->549
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • a Display implementation returned an error unexpectedlyC:\Users\HarrisonEdwards\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs, xrefs: 00007FF7CDAE0619
                                                                                                                                                                                        • , xrefs: 00007FF7CDADFB3E
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memmove$DebugOutputStringmemset
                                                                                                                                                                                        • String ID: $a Display implementation returned an error unexpectedlyC:\Users\HarrisonEdwards\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs
                                                                                                                                                                                        • API String ID: 1555711964-769381475
                                                                                                                                                                                        • Opcode ID: c2638c97bb8170379efc4faaade6f96266e8794252fa742058d4543a89bb344c
                                                                                                                                                                                        • Instruction ID: c128465233633496df66704b7f1e052f8b667b4cc2bc3d5e322f0056f5420298
                                                                                                                                                                                        • Opcode Fuzzy Hash: c2638c97bb8170379efc4faaade6f96266e8794252fa742058d4543a89bb344c
                                                                                                                                                                                        • Instruction Fuzzy Hash: 4352A032B19BC588EB31DF21D850BEE63A0FB49798F804135DA5D4BB8AEF799255C310
                                                                                                                                                                                        Function 00007FF7CDADEF00 Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 529COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 551 7ff7cdadef00-7ff7cdadf080 call 7ff7cdafed90 memset 554 7ff7cdadf086-7ff7cdadf098 551->554 555 7ff7cdadf13a-7ff7cdadf15b OutputDebugStringW 551->555 558 7ff7cdadf0a4-7ff7cdadf0c7 554->558 559 7ff7cdadf09a-7ff7cdadf0a2 554->559 556 7ff7cdadf16b-7ff7cdadf173 555->556 557 7ff7cdadf15d-7ff7cdadf166 call 7ff7cdae55a0 555->557 561 7ff7cdadf175-7ff7cdadf17d 556->561 562 7ff7cdadf1ba-7ff7cdadf1d3 call 7ff7cdae5590 556->562 557->556 564 7ff7cdadf0d0-7ff7cdadf100 558->564 563 7ff7cdadf102-7ff7cdadf11e 559->563 561->562 565 7ff7cdadf17f-7ff7cdadf199 561->565 575 7ff7cdadf8ab-7ff7cdadf8bc call 7ff7cdb07e13 562->575 576 7ff7cdadf1d9-7ff7cdadf21a 562->576 567 7ff7cdadf120-7ff7cdadf127 563->567 564->563 564->564 568 7ff7cdadf19f-7ff7cdadf1a7 565->568 569 7ff7cdadf232-7ff7cdadf278 call 7ff7cdaed170 call 7ff7cdadebf0 memmove * 2 565->569 567->555 571 7ff7cdadf129-7ff7cdadf138 567->571 573 7ff7cdadf21f-7ff7cdadf22c call 7ff7cdb069c0 568->573 574 7ff7cdadf1a9-7ff7cdadf1b5 call 7ff7cdae9d20 568->574 587 7ff7cdadf27d-7ff7cdadf2a8 memmove 569->587 571->555 571->567 573->569 573->574 574->587 584 7ff7cdadf8c1 575->584 580 7ff7cdadf894-7ff7cdadf8aa 576->580 588 7ff7cdadf8c3-7ff7cdadf8dc call 7ff7cdb07e13 584->588 587->584 589 7ff7cdadf2ae 587->589 595 7ff7cdadf941-7ff7cdadf97d 588->595 591 7ff7cdadf2b4-7ff7cdadf2d0 call 7ff7cdae55c0 589->591 592 7ff7cdadf8de-7ff7cdadf8f4 589->592 591->588 602 7ff7cdadf2d6-7ff7cdadf2f6 591->602 596 7ff7cdadf8fb-7ff7cdadf914 call 7ff7cdb08300 592->596 597 7ff7cdadf97f-7ff7cdadf98c call 7ff7cdae55a0 595->597 598 7ff7cdadf991-7ff7cdadf9aa 595->598 596->595 597->598 602->596 604 7ff7cdadf2fc-7ff7cdadf341 memmove * 2 602->604 605 7ff7cdadf343-7ff7cdadf34d 604->605 606 7ff7cdadf352-7ff7cdadf448 memmove memset call 7ff7cdae4fd0 call 7ff7cdae4f30 604->606 607 7ff7cdadf56f-7ff7cdadf61e call 7ff7cdafed90 memset 605->607 606->607 616 7ff7cdadf44e-7ff7cdadf45d 606->616 614 7ff7cdadf624-7ff7cdadf636 607->614 615 7ff7cdadf6da-7ff7cdadf6f4 OutputDebugStringW 607->615 619 7ff7cdadf642-7ff7cdadf665 614->619 620 7ff7cdadf638-7ff7cdadf640 614->620 617 7ff7cdadf6f6-7ff7cdadf702 call 7ff7cdae55a0 615->617 618 7ff7cdadf707-7ff7cdadf77a call 7ff7cdaed700 615->618 621 7ff7cdadf466-7ff7cdadf544 call 7ff7cdafed90 memset 616->621 622 7ff7cdadf45f 616->622 617->618 632 7ff7cdadf916-7ff7cdadf93c call 7ff7cdb08260 618->632 633 7ff7cdadf780-7ff7cdadf7ae call 7ff7cdae55a0 618->633 626 7ff7cdadf670-7ff7cdadf6a0 619->626 625 7ff7cdadf6a2-7ff7cdadf6b3 620->625 635 7ff7cdadf84a-7ff7cdadf864 OutputDebugStringW 621->635 636 7ff7cdadf54a-7ff7cdadf55c 621->636 622->621 627 7ff7cdadf6c0-7ff7cdadf6c7 625->627 626->625 626->626 627->615 630 7ff7cdadf6c9-7ff7cdadf6d8 627->630 630->615 630->627 632->595 633->580 638 7ff7cdadf866-7ff7cdadf872 call 7ff7cdae55a0 635->638 639 7ff7cdadf877-7ff7cdadf88d 635->639 640 7ff7cdadf7b3-7ff7cdadf7d6 636->640 641 7ff7cdadf562-7ff7cdadf56a 636->641 638->639 639->580 645 7ff7cdadf7e0-7ff7cdadf810 640->645 644 7ff7cdadf812-7ff7cdadf82e 641->644 646 7ff7cdadf830-7ff7cdadf837 644->646 645->644 645->645 646->635 647 7ff7cdadf839-7ff7cdadf848 646->647 647->635 647->646
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • a Display implementation returned an error unexpectedlyC:\Users\HarrisonEdwards\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs, xrefs: 00007FF7CDADF922
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memmove$memset$DebugOutputString
                                                                                                                                                                                        • String ID: a Display implementation returned an error unexpectedlyC:\Users\HarrisonEdwards\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs
                                                                                                                                                                                        • API String ID: 2403700729-1217048905
                                                                                                                                                                                        • Opcode ID: f01722728f6743910340b147448ea9a44c98d5fab5105c086e68913e8e359a5f
                                                                                                                                                                                        • Instruction ID: 5801337d99b4e135f58123a65e368f4943e5ab90543534425d10f88b26133acb
                                                                                                                                                                                        • Opcode Fuzzy Hash: f01722728f6743910340b147448ea9a44c98d5fab5105c086e68913e8e359a5f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C42A162B1DBC189EB719F20D8507ED63A4FB45798F804235DA9D0BB8AEF78A344C351
                                                                                                                                                                                        Function 00007FF7CDAD5500 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 295stringCOMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 648 7ff7cdad5500-7ff7cdad551d 649 7ff7cdad5523-7ff7cdad5538 648->649 650 7ff7cdad55c1-7ff7cdad560a memset 648->650 651 7ff7cdad560f 649->651 652 7ff7cdad553e-7ff7cdad5549 649->652 653 7ff7cdad59bc-7ff7cdad59c4 OutputDebugStringW 650->653 655 7ff7cdad5614-7ff7cdad56cf call 7ff7cdafed90 memset 651->655 652->655 656 7ff7cdad554f-7ff7cdad55bc memset 652->656 654 7ff7cdad59ca-7ff7cdad59e3 653->654 659 7ff7cdad56d5-7ff7cdad56e7 655->659 660 7ff7cdad578a-7ff7cdad57aa OutputDebugStringW 655->660 656->653 661 7ff7cdad56f3-7ff7cdad5716 659->661 662 7ff7cdad56e9-7ff7cdad56f1 659->662 663 7ff7cdad57ac-7ff7cdad57b5 call 7ff7cdae55a0 660->663 664 7ff7cdad57ba-7ff7cdad57c1 660->664 666 7ff7cdad5720-7ff7cdad5750 661->666 665 7ff7cdad5752-7ff7cdad576e 662->665 663->664 668 7ff7cdad57c7-7ff7cdad57e8 664->668 669 7ff7cdad5958-7ff7cdad59b3 memset 664->669 670 7ff7cdad5770-7ff7cdad5777 665->670 666->665 666->666 671 7ff7cdad57fc-7ff7cdad5852 strlen call 7ff7cdb005b0 668->671 669->653 670->660 672 7ff7cdad5779-7ff7cdad5788 670->672 675 7ff7cdad5854-7ff7cdad5863 memcmp 671->675 676 7ff7cdad57f0-7ff7cdad57f6 671->676 672->660 672->670 675->676 677 7ff7cdad5865-7ff7cdad592d call 7ff7cdafed90 memset 675->677 676->669 676->671 680 7ff7cdad5933-7ff7cdad5945 677->680 681 7ff7cdad5a7a-7ff7cdad5a9a OutputDebugStringW 677->681 682 7ff7cdad59e4-7ff7cdad5a07 680->682 683 7ff7cdad594b-7ff7cdad5953 680->683 684 7ff7cdad5a9c-7ff7cdad5aa5 call 7ff7cdae55a0 681->684 685 7ff7cdad5aaa-7ff7cdad5ab6 681->685 687 7ff7cdad5a10-7ff7cdad5a40 682->687 686 7ff7cdad5a42-7ff7cdad5a5e 683->686 684->685 685->654 689 7ff7cdad5a60-7ff7cdad5a67 686->689 687->686 687->687 689->681 690 7ff7cdad5a69-7ff7cdad5a78 689->690 690->681 690->689
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset$memcmpstrlen
                                                                                                                                                                                        • String ID: c
                                                                                                                                                                                        • API String ID: 2294051181-112844655
                                                                                                                                                                                        • Opcode ID: 2871eeadbb70f845e39d83bbf3464a4759411a0833b209048276e310986f9df0
                                                                                                                                                                                        • Instruction ID: d69da03883497fc3b8048ad84c648277149886083f3b912b1722310a395adbf0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2871eeadbb70f845e39d83bbf3464a4759411a0833b209048276e310986f9df0
                                                                                                                                                                                        • Instruction Fuzzy Hash: BCE1AE32B1CBC185EB219F24E451BAAE3A1FB85794F844235DA9D03BA5EF3CD585CB10
                                                                                                                                                                                        Function 00007FF7CDAD1E60 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 440COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 691 7ff7cdad1e60-7ff7cdad1ea4 692 7ff7cdad24c0-7ff7cdad250d call 7ff7cdb07110 691->692 693 7ff7cdad1eaa-7ff7cdad1eb9 691->693 695 7ff7cdad2513-7ff7cdad2522 call 7ff7cdb07320 692->695 696 7ff7cdad1ebf-7ff7cdad1ec7 692->696 693->695 693->696 700 7ff7cdad2528-7ff7cdad255c call 7ff7cdb08260 695->700 701 7ff7cdad1eda-7ff7cdad1ee6 695->701 696->695 698 7ff7cdad1ecd-7ff7cdad1ed4 696->698 698->700 698->701 709 7ff7cdad2580-7ff7cdad25c2 700->709 703 7ff7cdad209b-7ff7cdad2135 call 7ff7cdafed90 memset 701->703 704 7ff7cdad1eec-7ff7cdad2030 701->704 714 7ff7cdad213b-7ff7cdad214d 703->714 715 7ff7cdad234a-7ff7cdad235e OutputDebugStringW 703->715 708 7ff7cdad2034-7ff7cdad204c 704->708 711 7ff7cdad2080-7ff7cdad208c 708->711 712 7ff7cdad204e-7ff7cdad2069 708->712 716 7ff7cdad25d3-7ff7cdad25d8 call 7ff7cdb07630 709->716 717 7ff7cdad25c4-7ff7cdad25d2 709->717 711->703 713 7ff7cdad208e-7ff7cdad2099 711->713 718 7ff7cdad206f-7ff7cdad207a 712->718 719 7ff7cdad2160-7ff7cdad2297 call 7ff7cdafed90 memset 712->719 713->708 723 7ff7cdad2153-7ff7cdad215b 714->723 724 7ff7cdad22c2-7ff7cdad22e5 714->724 721 7ff7cdad2360-7ff7cdad236c call 7ff7cdae55a0 715->721 722 7ff7cdad2371-7ff7cdad237e 715->722 716->717 718->712 720 7ff7cdad207c 718->720 736 7ff7cdad229d-7ff7cdad22af 719->736 737 7ff7cdad240a-7ff7cdad241e OutputDebugStringW 719->737 720->711 721->722 728 7ff7cdad2492-7ff7cdad24a8 722->728 729 7ff7cdad231c-7ff7cdad232d 723->729 732 7ff7cdad22f0-7ff7cdad231a 724->732 734 7ff7cdad255e-7ff7cdad2566 call 7ff7cdb07630 728->734 735 7ff7cdad24ae-7ff7cdad24bf 728->735 733 7ff7cdad2330-7ff7cdad2337 729->733 732->729 732->732 733->715 738 7ff7cdad2339-7ff7cdad2348 733->738 734->735 740 7ff7cdad2383-7ff7cdad23af 736->740 741 7ff7cdad22b5-7ff7cdad22bd 736->741 742 7ff7cdad2420-7ff7cdad242c call 7ff7cdae55a0 737->742 743 7ff7cdad2431-7ff7cdad243f 737->743 738->715 738->733 745 7ff7cdad23b0-7ff7cdad23da 740->745 746 7ff7cdad23dc-7ff7cdad23ed 741->746 742->743 748 7ff7cdad2445-7ff7cdad2449 743->748 749 7ff7cdad256b 743->749 745->745 745->746 753 7ff7cdad23f0-7ff7cdad23f7 746->753 750 7ff7cdad2473 748->750 751 7ff7cdad244b-7ff7cdad2468 call 7ff7cdae5590 748->751 752 7ff7cdad256e-7ff7cdad257b call 7ff7cdb07e13 749->752 755 7ff7cdad2479-7ff7cdad248e memmove 750->755 751->752 759 7ff7cdad246e-7ff7cdad2471 751->759 752->709 753->737 757 7ff7cdad23f9-7ff7cdad2408 753->757 755->728 757->737 757->753 759->755
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset$memmove
                                                                                                                                                                                        • String ID: arenegyl$called `Result::unwrap()` on an `Err` value$modnarod$setybdet$uespemos
                                                                                                                                                                                        • API String ID: 1679965580-2410307170
                                                                                                                                                                                        • Opcode ID: ec1d1a64b15b8df332beab5294459893b6265a5339f838eae16ab73897f1734d
                                                                                                                                                                                        • Instruction ID: 946c6ea4c7260c45d136d1ec59b360703d945675e4e02df41b5417cc3f7f4170
                                                                                                                                                                                        • Opcode Fuzzy Hash: ec1d1a64b15b8df332beab5294459893b6265a5339f838eae16ab73897f1734d
                                                                                                                                                                                        • Instruction Fuzzy Hash: D502C472B19B8145EB20DF60D864BEDA361FB057A8F808236DE2D5BB95EF3C9641C350
                                                                                                                                                                                        Function 00007FF7CDAD4920 Relevance: 14.0, APIs: 9, Instructions: 508COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 760 7ff7cdad4920-7ff7cdad496e call 7ff7cdad1e60 763 7ff7cdad4974-7ff7cdad4a00 call 7ff7cdafed90 memset 760->763 764 7ff7cdad4a2b-7ff7cdad4a7d call 7ff7cdadfa90 760->764 771 7ff7cdad4a06-7ff7cdad4a18 763->771 772 7ff7cdad4d0a-7ff7cdad4d25 OutputDebugStringW 763->772 769 7ff7cdad4a83-7ff7cdad4b57 call 7ff7cdafed90 memset 764->769 770 7ff7cdad4b82-7ff7cdad4bbb call 7ff7cdb02730 764->770 785 7ff7cdad4b5d-7ff7cdad4b6f 769->785 786 7ff7cdad4eda-7ff7cdad4eee OutputDebugStringW 769->786 787 7ff7cdad4bc1-7ff7cdad4c5b call 7ff7cdafed90 memset 770->787 788 7ff7cdad4d39-7ff7cdad4d6e call 7ff7cdad5500 770->788 777 7ff7cdad4c86-7ff7cdad4ca9 771->777 778 7ff7cdad4a1e-7ff7cdad4a26 771->778 774 7ff7cdad50d5-7ff7cdad50ed 772->774 775 7ff7cdad4d2b-7ff7cdad4d34 772->775 780 7ff7cdad50d0 call 7ff7cdae55a0 775->780 783 7ff7cdad4cb0-7ff7cdad4cda 777->783 782 7ff7cdad4cdc-7ff7cdad4ced 778->782 780->774 784 7ff7cdad4cf0-7ff7cdad4cf7 782->784 783->782 783->783 784->772 790 7ff7cdad4cf9-7ff7cdad4d08 784->790 793 7ff7cdad4b75-7ff7cdad4b7d 785->793 794 7ff7cdad4e4e-7ff7cdad4e7e 785->794 791 7ff7cdad4ef0-7ff7cdad4efc call 7ff7cdae55a0 786->791 792 7ff7cdad4f01-7ff7cdad4f0b 786->792 808 7ff7cdad4c61-7ff7cdad4c73 787->808 809 7ff7cdad507a-7ff7cdad508e OutputDebugStringW 787->809 805 7ff7cdad4f23-7ff7cdad4fd2 call 7ff7cdafed90 memset 788->805 806 7ff7cdad4d74-7ff7cdad4e23 call 7ff7cdafed90 memset 788->806 790->772 790->784 791->792 798 7ff7cdad4f11-7ff7cdad4f1e 792->798 799 7ff7cdad50bb-7ff7cdad50be 792->799 800 7ff7cdad4eac-7ff7cdad4ebd 793->800 803 7ff7cdad4e80-7ff7cdad4eaa 794->803 804 7ff7cdad50b6 call 7ff7cdae55a0 798->804 799->774 807 7ff7cdad50c0-7ff7cdad50cd 799->807 810 7ff7cdad4ec0-7ff7cdad4ec7 800->810 803->800 803->803 804->799 825 7ff7cdad4fd8-7ff7cdad4fea 805->825 826 7ff7cdad520a-7ff7cdad521e OutputDebugStringW 805->826 806->826 827 7ff7cdad4e29-7ff7cdad4e3b 806->827 807->780 817 7ff7cdad4ffd-7ff7cdad501c 808->817 818 7ff7cdad4c79-7ff7cdad4c81 808->818 812 7ff7cdad5090-7ff7cdad509c call 7ff7cdae55a0 809->812 813 7ff7cdad50a1-7ff7cdad50a4 809->813 810->786 811 7ff7cdad4ec9-7ff7cdad4ed8 810->811 811->786 811->810 812->813 813->799 820 7ff7cdad50a6-7ff7cdad50b3 813->820 823 7ff7cdad5020-7ff7cdad504a 817->823 824 7ff7cdad504c-7ff7cdad505d 818->824 820->804 823->823 823->824 828 7ff7cdad5060-7ff7cdad5067 824->828 831 7ff7cdad5183-7ff7cdad51af 825->831 832 7ff7cdad4ff0-7ff7cdad4ff8 825->832 829 7ff7cdad5220-7ff7cdad522c call 7ff7cdae55a0 826->829 830 7ff7cdad5231-7ff7cdad5234 826->830 833 7ff7cdad4e41-7ff7cdad4e49 827->833 834 7ff7cdad50ee-7ff7cdad511e 827->834 828->809 835 7ff7cdad5069-7ff7cdad5078 828->835 829->830 838 7ff7cdad5236-7ff7cdad5246 call 7ff7cdae55a0 830->838 839 7ff7cdad524b-7ff7cdad524e 830->839 836 7ff7cdad51b0-7ff7cdad51da 831->836 840 7ff7cdad51dc-7ff7cdad51ed 832->840 841 7ff7cdad514c-7ff7cdad515d 833->841 842 7ff7cdad5120-7ff7cdad514a 834->842 835->809 835->828 836->836 836->840 838->839 845 7ff7cdad5265 839->845 846 7ff7cdad5250-7ff7cdad5260 call 7ff7cdae55a0 839->846 843 7ff7cdad51f0-7ff7cdad51f7 840->843 847 7ff7cdad5160-7ff7cdad5167 841->847 842->841 842->842 843->826 849 7ff7cdad51f9-7ff7cdad5208 843->849 846->845 847->826 848 7ff7cdad516d-7ff7cdad517c 847->848 848->847 851 7ff7cdad517e 848->851 849->826 849->843 851->826
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1084755268-0
                                                                                                                                                                                        • Opcode ID: 15179ab0e3581572edfdf87aa7abaae96eb3885c75d7f535c9901e517c623ba4
                                                                                                                                                                                        • Instruction ID: c5df12970b47a5f067d283fac1027a816f99dbd2d0cc9575cd55b6d2c4dbde82
                                                                                                                                                                                        • Opcode Fuzzy Hash: 15179ab0e3581572edfdf87aa7abaae96eb3885c75d7f535c9901e517c623ba4
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9132B032B19B9189EB20DF60D894BEC63A0FB45798F804236DE1D57B99EF38D645C310
                                                                                                                                                                                        Function 00007FF7CDAE9C30 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 1094 7ff7cdae9c30-7ff7cdae9c41 1095 7ff7cdae9c43-7ff7cdae9c5d 1094->1095 1096 7ff7cdae9ca2 1094->1096 1097 7ff7cdae9c68-7ff7cdae9c8a BCryptGenRandom 1095->1097 1098 7ff7cdae9ca4-7ff7cdae9cb4 1096->1098 1099 7ff7cdae9c60-7ff7cdae9c66 1097->1099 1100 7ff7cdae9c8c-7ff7cdae9c98 SystemFunction036 1097->1100 1099->1096 1099->1097 1100->1099 1101 7ff7cdae9c9a-7ff7cdae9ca0 1100->1101 1101->1098
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • BCryptGenRandom.BCRYPT(?,00000000,?,00007FF7CDAE99D5,?,?,?,00007FF7CDB066FB), ref: 00007FF7CDAE9C82
                                                                                                                                                                                        • SystemFunction036.ADVAPI32(?,?,?,00007FF7CDB066FB), ref: 00007FF7CDAE9C93
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: CryptFunction036RandomSystem
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1232939966-0
                                                                                                                                                                                        • Opcode ID: 47d6478e8247f7ef66c1302e22645d240cb7e904ee14eaa11473d1722cd63d14
                                                                                                                                                                                        • Instruction ID: 6eb7d1e2f36d91c3ceb3a230ede5a8b4b6b77bd5e63eb8b553afd36f9933fe92
                                                                                                                                                                                        • Opcode Fuzzy Hash: 47d6478e8247f7ef66c1302e22645d240cb7e904ee14eaa11473d1722cd63d14
                                                                                                                                                                                        • Instruction Fuzzy Hash: 5FF0D162B1DA5548EE647E672E44978D1902F98BF0E684335AC3D83BD1BF289C42E214
                                                                                                                                                                                        Function 00007FF7CDAF6060 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 202COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 852 7ff7cdaf6060-7ff7cdaf6080 853 7ff7cdaf6082-7ff7cdaf609c GetStdHandle 852->853 854 7ff7cdaf60be-7ff7cdaf60c2 852->854 855 7ff7cdaf609e-7ff7cdaf60a2 853->855 856 7ff7cdaf60c7-7ff7cdaf60d1 853->856 857 7ff7cdaf6261-7ff7cdaf626e 854->857 858 7ff7cdaf60d6-7ff7cdaf60ec GetConsoleMode 855->858 859 7ff7cdaf60a4-7ff7cdaf60b9 GetLastError 855->859 856->857 860 7ff7cdaf60ee-7ff7cdaf60f5 858->860 861 7ff7cdaf6147-7ff7cdaf615c call 7ff7cdaf5b60 858->861 859->857 862 7ff7cdaf6161-7ff7cdaf6182 call 7ff7cdb02730 860->862 863 7ff7cdaf60f7-7ff7cdaf60fa 860->863 861->857 873 7ff7cdaf61c3-7ff7cdaf61c7 862->873 874 7ff7cdaf6184-7ff7cdaf618b 862->874 865 7ff7cdaf626f-7ff7cdaf629c call 7ff7cdb07f30 863->865 866 7ff7cdaf6100-7ff7cdaf610e 863->866 878 7ff7cdaf62a1-7ff7cdaf62b3 call 7ff7cdb08300 865->878 870 7ff7cdaf6114-7ff7cdaf6135 866->870 871 7ff7cdaf61ba-7ff7cdaf61be 866->871 876 7ff7cdaf613b-7ff7cdaf6142 870->876 877 7ff7cdaf61d8-7ff7cdaf61de 870->877 875 7ff7cdaf625a 871->875 881 7ff7cdaf61cb-7ff7cdaf61ce call 7ff7cdaf6380 873->881 879 7ff7cdaf6191-7ff7cdaf6194 874->879 880 7ff7cdaf6237-7ff7cdaf6248 874->880 875->857 876->857 877->878 882 7ff7cdaf61e4-7ff7cdaf61f8 call 7ff7cdb02730 877->882 884 7ff7cdaf62b8-7ff7cdaf62c8 call 7ff7cdb08300 878->884 879->884 885 7ff7cdaf619a-7ff7cdaf61aa call 7ff7cdb02730 879->885 886 7ff7cdaf6255 880->886 887 7ff7cdaf624a-7ff7cdaf624c 880->887 892 7ff7cdaf61d3 881->892 882->886 894 7ff7cdaf61fa-7ff7cdaf6209 882->894 895 7ff7cdaf62cd-7ff7cdaf62ef call 7ff7cdb080d2 884->895 899 7ff7cdaf61b0-7ff7cdaf61b8 885->899 900 7ff7cdaf631b-7ff7cdaf637b call 7ff7cdb08260 CloseHandle 885->900 886->875 887->886 892->857 894->895 897 7ff7cdaf620f-7ff7cdaf621d call 7ff7cdaf6380 894->897 902 7ff7cdaf62f4-7ff7cdaf6316 call 7ff7cdb080d2 895->902 897->857 907 7ff7cdaf621f-7ff7cdaf622a 897->907 899->881 902->900 907->902 908 7ff7cdaf6230-7ff7cdaf6235 907->908 908->857
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Handle$CloseConsoleErrorLastMode
                                                                                                                                                                                        • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                        • API String ID: 1170577072-2333694755
                                                                                                                                                                                        • Opcode ID: 9df8667fb455948d206d2e0162948ead7c774f0ffd6194c977ee090e8539f944
                                                                                                                                                                                        • Instruction ID: c67f425b15e58cbfe5b48bee92f8f2a2d59a2be9989896a14c38644b43ddec13
                                                                                                                                                                                        • Opcode Fuzzy Hash: 9df8667fb455948d206d2e0162948ead7c774f0ffd6194c977ee090e8539f944
                                                                                                                                                                                        • Instruction Fuzzy Hash: 479193A2F0C79288FB10AF609540BFDA761BB157A8F884136DE6D13695EF7CE585C320
                                                                                                                                                                                        Function 00007FF7CDAF6380 Relevance: 7.6, APIs: 5, Instructions: 147COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 909 7ff7cdaf6380-7ff7cdaf63ab call 7ff7cdb05250 912 7ff7cdaf63ad-7ff7cdaf63b3 909->912 913 7ff7cdaf63e7-7ff7cdaf640d MultiByteToWideChar 909->913 914 7ff7cdaf63c0-7ff7cdaf63ca 912->914 915 7ff7cdaf6413-7ff7cdaf641b 913->915 916 7ff7cdaf655a-7ff7cdaf6596 call 7ff7cdb07f30 913->916 914->914 917 7ff7cdaf63cc-7ff7cdaf63cf 914->917 918 7ff7cdaf6421-7ff7cdaf644d WriteConsoleW 915->918 919 7ff7cdaf659b-7ff7cdaf65aa call 7ff7cdb08300 915->919 916->919 921 7ff7cdaf63e1 917->921 922 7ff7cdaf63d1-7ff7cdaf63d6 917->922 923 7ff7cdaf6453-7ff7cdaf645c 918->923 924 7ff7cdaf652e-7ff7cdaf6543 GetLastError 918->924 931 7ff7cdaf65af-7ff7cdaf65bc call 7ff7cdb08300 919->931 921->913 926 7ff7cdaf65c1-7ff7cdaf65d6 call 7ff7cdb08360 921->926 922->926 927 7ff7cdaf63dc-7ff7cdaf63df 922->927 929 7ff7cdaf6462 923->929 930 7ff7cdaf6547 923->930 928 7ff7cdaf6549-7ff7cdaf6559 924->928 933 7ff7cdaf65db-7ff7cdaf65fc call 7ff7cdb08054 926->933 927->913 929->933 934 7ff7cdaf6468-7ff7cdaf647a 929->934 930->928 931->926 937 7ff7cdaf64bd-7ff7cdaf64c0 934->937 938 7ff7cdaf647c-7ff7cdaf64b5 WriteConsoleW 934->938 937->931 941 7ff7cdaf64c6-7ff7cdaf64c9 937->941 938->937 940 7ff7cdaf64b7 GetLastError 938->940 940->937 942 7ff7cdaf6545 941->942 943 7ff7cdaf64cb-7ff7cdaf64d2 941->943 942->930 944 7ff7cdaf64ec-7ff7cdaf64fc 943->944 945 7ff7cdaf64e0-7ff7cdaf64ea 944->945 946 7ff7cdaf64fe-7ff7cdaf650e 944->946 945->930 945->944 946->945 947 7ff7cdaf6510-7ff7cdaf652c 946->947 947->945
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1956605914-0
                                                                                                                                                                                        • Opcode ID: ab115f8a0e060e1228490673e784b3cd7386c8748cb427263d3f32dfdf7a575a
                                                                                                                                                                                        • Instruction ID: ad243a0a2bb232a02a842e55f805332e212cbdac309dfb93b876021128268652
                                                                                                                                                                                        • Opcode Fuzzy Hash: ab115f8a0e060e1228490673e784b3cd7386c8748cb427263d3f32dfdf7a575a
                                                                                                                                                                                        • Instruction Fuzzy Hash: FD51B4B1B0C59245E720AF20D944BFDE251BB447A4F884232D96D57AE8FF3CE9858220
                                                                                                                                                                                        Function 00007FF7CDAD2640 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset
                                                                                                                                                                                        • String ID: Failed to encrypt function name
                                                                                                                                                                                        • API String ID: 1084755268-2980051713
                                                                                                                                                                                        • Opcode ID: e7781a507f3b536f756127b2ad86d54146cebffd6e1153c1321e5608226adf90
                                                                                                                                                                                        • Instruction ID: 10f45de23ceabf72757a5d9e0c79aeda0a702b92d44e9dffa4070c42f313fe98
                                                                                                                                                                                        • Opcode Fuzzy Hash: e7781a507f3b536f756127b2ad86d54146cebffd6e1153c1321e5608226adf90
                                                                                                                                                                                        • Instruction Fuzzy Hash: 93A1A072E18BD188EB309F24E854BECA760FB55768F844239CE6C17B96EF389650C350
                                                                                                                                                                                        Function 00007FF7CDAD6990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset
                                                                                                                                                                                        • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                        • API String ID: 1084755268-2333694755
                                                                                                                                                                                        • Opcode ID: a67f1821f597c1729166b8e9bf8d91553234da78e984e14b1cd837803dd65ae1
                                                                                                                                                                                        • Instruction ID: 767d39b8364857de9977dcdd1c8a580b98199253c81aced862b3bf7425ada36a
                                                                                                                                                                                        • Opcode Fuzzy Hash: a67f1821f597c1729166b8e9bf8d91553234da78e984e14b1cd837803dd65ae1
                                                                                                                                                                                        • Instruction Fuzzy Hash: 59819272B0DB9689EB21AF60D850BEDB360FB04768F844136CA6D17B95EF38E645C310
                                                                                                                                                                                        Function 00007FF7CDAE0B00 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 1085 7ff7cdae0b00-7ff7cdae0b34 memset 1086 7ff7cdae0bda-7ff7cdae0bf6 OutputDebugStringW 1085->1086 1087 7ff7cdae0b3a-7ff7cdae0b4c 1085->1087 1088 7ff7cdae0b4e-7ff7cdae0b56 1087->1088 1089 7ff7cdae0b58-7ff7cdae0b7b 1087->1089 1091 7ff7cdae0bac-7ff7cdae0bba 1088->1091 1090 7ff7cdae0b80-7ff7cdae0baa 1089->1090 1090->1090 1090->1091 1092 7ff7cdae0bc0-7ff7cdae0bc7 1091->1092 1092->1086 1093 7ff7cdae0bc9-7ff7cdae0bd8 1092->1093 1093->1086 1093->1092
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1084755268-0
                                                                                                                                                                                        • Opcode ID: 58a8dd56b87ae94f9c2a6c3c781ac563cd77c6e98e02bd622f9eb88481f3a822
                                                                                                                                                                                        • Instruction ID: 4349c89720289780f05d5e0498e90666a7b3159c24f7b85157e8bc707c1ce21c
                                                                                                                                                                                        • Opcode Fuzzy Hash: 58a8dd56b87ae94f9c2a6c3c781ac563cd77c6e98e02bd622f9eb88481f3a822
                                                                                                                                                                                        • Instruction Fuzzy Hash: 08214822F2869541EB209B24E150BBDD221EB9A7D8F908331DA4E53E86EF2CD651C304

                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                        Function 00007FF7CDB05634 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 313767242-0
                                                                                                                                                                                        • Opcode ID: 47b0e820f7a3ace8fff452a8742e4a340094a77648f68a2620da130c351214ea
                                                                                                                                                                                        • Instruction ID: e8c7174d42e4b99efd4429faedb307bed4c083fabdc3bd9d9d6d9ab5b6814942
                                                                                                                                                                                        • Opcode Fuzzy Hash: 47b0e820f7a3ace8fff452a8742e4a340094a77648f68a2620da130c351214ea
                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A3145B270DB8186EB609F60E890BED73A4F744754F444039DA5E47B95EF38E548C710
                                                                                                                                                                                        Function 00007FF7CDAF5B60 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 301filenativesynchronizationCOMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Error$FileFormatHandleLastMessageModuleObjectSingleStatusWaitWrite
                                                                                                                                                                                        • String ID: NTDLL.DLL
                                                                                                                                                                                        • API String ID: 415079386-1613819793
                                                                                                                                                                                        • Opcode ID: 5df13727368c8cff682b51be1943741d8aebc6c52b63a373740ca2935bdca9e7
                                                                                                                                                                                        • Instruction ID: f2fb954c0bdd301003f1bc3e5f7215d960ea62c4212dd71e03d101b4ce62716c
                                                                                                                                                                                        • Opcode Fuzzy Hash: 5df13727368c8cff682b51be1943741d8aebc6c52b63a373740ca2935bdca9e7
                                                                                                                                                                                        • Instruction Fuzzy Hash: 86D19F72B0DB8289E731DF20E840BECA6A4FB44364F944176DA6D47B94EF78DA85C310
                                                                                                                                                                                        Function 00007FF7CDB05BA0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 296COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memset
                                                                                                                                                                                        • String ID: arenegyl$modnarod$setybdet$uespemos
                                                                                                                                                                                        • API String ID: 2221118986-66988881
                                                                                                                                                                                        • Opcode ID: 0a01c997f5cf95d748e7a4a28e3d4d1436f28eff81b03a72445b9a56f186dc9f
                                                                                                                                                                                        • Instruction ID: 084671a50e314bb02d4b7a19d4e28ef9ddfadb1d6b7a503153d99b66c0ed06d0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a01c997f5cf95d748e7a4a28e3d4d1436f28eff81b03a72445b9a56f186dc9f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 01A17AA2F1C79546EE50AF197905BAAA691BB04BE4F885731DE7D17BC0EF3CE141D200
                                                                                                                                                                                        Function 00007FF7CDB06000 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 294COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memset
                                                                                                                                                                                        • String ID: arenegyl$modnarod$setybdet$uespemos
                                                                                                                                                                                        • API String ID: 2221118986-66988881
                                                                                                                                                                                        • Opcode ID: 99c1b41fc3c62e9bd297a1f2eb2d7f444b105530d3b711e2489294c65428339c
                                                                                                                                                                                        • Instruction ID: 0ec576599c503a736f6826c7abb3b6e8794d462f77b873a8d8e8334e2ac221a1
                                                                                                                                                                                        • Opcode Fuzzy Hash: 99c1b41fc3c62e9bd297a1f2eb2d7f444b105530d3b711e2489294c65428339c
                                                                                                                                                                                        • Instruction Fuzzy Hash: EFA158A2F1879647EE50AF19A811BAAA651BB44BE4F889331DE7C077C1EE3CE141C250
                                                                                                                                                                                        Function 00007FF7CDAFEF50 Relevance: 7.1, APIs: 5, Instructions: 808COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?), ref: 00007FF7CDAFF0FA
                                                                                                                                                                                        • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?), ref: 00007FF7CDAFF6AF
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memmove
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2162964266-0
                                                                                                                                                                                        • Opcode ID: a7bd2f5d4b7eff99de0a9676cb747dc0666d5d97c7cc4d69d3ed8be811783164
                                                                                                                                                                                        • Instruction ID: 2f318af0c0548c1974b68a72007552f6414850200bbb9adfd47e2eedd1399a2d
                                                                                                                                                                                        • Opcode Fuzzy Hash: a7bd2f5d4b7eff99de0a9676cb747dc0666d5d97c7cc4d69d3ed8be811783164
                                                                                                                                                                                        • Instruction Fuzzy Hash: DC621613B1C6915DFB00AF6484006FD9BA1F7193A4F848676DA6D5BBC9EF38DA09C360
                                                                                                                                                                                        Function 00007FF7CDAD6D20 Relevance: 6.5, Strings: 5, Instructions: 223COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: arenegyl$called `Result::unwrap()` on an `Err` value$modnarod$setybdep$uespemos
                                                                                                                                                                                        • API String ID: 0-2252471832
                                                                                                                                                                                        • Opcode ID: 7681ba6aa12d5fc4b63c4c61aa45e453cb32aab0131e1ee9415cd192920deefa
                                                                                                                                                                                        • Instruction ID: 6679821cff190839b0274a7406e26f3e7b8aed4851c2789888ee7e588e525dec
                                                                                                                                                                                        • Opcode Fuzzy Hash: 7681ba6aa12d5fc4b63c4c61aa45e453cb32aab0131e1ee9415cd192920deefa
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D718BE6F0DB9642FA50AFA16410FEE9721AB057E4FC48132DD6D23795EE3CE5418250
                                                                                                                                                                                        Function 00007FF7CDB0550C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2933794660-0
                                                                                                                                                                                        • Opcode ID: b8143a3755dd1fb56982019fa07b7cbc4bca24114d71dcc4116c0fe821f2932e
                                                                                                                                                                                        • Instruction ID: ebdd7f20c46ebb0315d43ba8574d3d48e83ec062491aae50a6e1fedbf21f3b40
                                                                                                                                                                                        • Opcode Fuzzy Hash: b8143a3755dd1fb56982019fa07b7cbc4bca24114d71dcc4116c0fe821f2932e
                                                                                                                                                                                        • Instruction Fuzzy Hash: A8113C32B58F018AEF00DF60E8556B973A4FB59768F840E31EA7D467A4EF78E1648350
                                                                                                                                                                                        Function 00007FF7CDAE3B50 Relevance: 5.2, Strings: 4, Instructions: 197COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: arenegyl$modnarod$setybdep$uespemos
                                                                                                                                                                                        • API String ID: 0-169184043
                                                                                                                                                                                        • Opcode ID: c328c8a52741ec300421d053629f8206d4ff79205767c43c341aa85811c78aee
                                                                                                                                                                                        • Instruction ID: 891414873d07928bd3b13d879440369edcdf029bdca4c2087e9df6d84a34d7f9
                                                                                                                                                                                        • Opcode Fuzzy Hash: c328c8a52741ec300421d053629f8206d4ff79205767c43c341aa85811c78aee
                                                                                                                                                                                        • Instruction Fuzzy Hash: EF6159A2F18B9542FB019FB56461BFD6B60A71AB54F809636DF6E23741EF3892D1C200
                                                                                                                                                                                        Function 00007FF7CDAE38D0 Relevance: 5.2, Strings: 4, Instructions: 179COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: arenegyl$modnarod$setybdep$uespemos
                                                                                                                                                                                        • API String ID: 0-169184043
                                                                                                                                                                                        • Opcode ID: 0ae39de6df46605e194ab9eeb403b617744b00d465168c9e029b0a7a7cee4fca
                                                                                                                                                                                        • Instruction ID: 41dd030abe355f857cd818b08d44d1c435b22227d4f1b99f4f2e9f8003adb7c6
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ae39de6df46605e194ab9eeb403b617744b00d465168c9e029b0a7a7cee4fca
                                                                                                                                                                                        • Instruction Fuzzy Hash: E451AA52F2837642F2507FBA2841FE969616B55BA0F959332ED3C637C2E635CE83C200
                                                                                                                                                                                        Function 00007FF7CDB077F0 Relevance: 4.1, Strings: 3, Instructions: 376COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: Authenti$GenuineI$HygonGen
                                                                                                                                                                                        • API String ID: 0-696657513
                                                                                                                                                                                        • Opcode ID: e5990f2c905ff51ad393bc0c2406722b3a13bb944a37eb53f911918456c2f152
                                                                                                                                                                                        • Instruction ID: 841d52710a5c775b17856f72345a319caafece24d049daafc8bc12c1c3e93907
                                                                                                                                                                                        • Opcode Fuzzy Hash: e5990f2c905ff51ad393bc0c2406722b3a13bb944a37eb53f911918456c2f152
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6AB158A3B34AA102FB198E56BD12BB94991B358BD8F486438ED2F57BC0DD7CDA10C211
                                                                                                                                                                                        Function 00007FF7CDAE9D20 Relevance: 3.0, APIs: 2, Instructions: 467COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memmovememset
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1288253900-0
                                                                                                                                                                                        • Opcode ID: fd5b4e18f25138ef2fb129295def437b6243876417f360b4748023a351becdd1
                                                                                                                                                                                        • Instruction ID: 718ddbca947ce39bba7226b20dec6b4facd5a8c18161d58813b99f20133935bd
                                                                                                                                                                                        • Opcode Fuzzy Hash: fd5b4e18f25138ef2fb129295def437b6243876417f360b4748023a351becdd1
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C127166D28FD941E223973968027BBAB10AFFB348F11D317FED831E45DB1CA6409650
                                                                                                                                                                                        Function 00007FF7CDAEBB20 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 33333333$UUUUUUUU
                                                                                                                                                                                        • API String ID: 0-3483174168
                                                                                                                                                                                        • Opcode ID: cff9d24c3fc3692150ad18937845d9fa878edfc3b39f359c130e8016678a4c49
                                                                                                                                                                                        • Instruction ID: 3a81f71bb059842e67eaceedc94535e03550869ade922beb697c2acde78d5c9a
                                                                                                                                                                                        • Opcode Fuzzy Hash: cff9d24c3fc3692150ad18937845d9fa878edfc3b39f359c130e8016678a4c49
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0591E843B681F003F7624B7D1D66566EFA25545BD370DF152EEE423A86C038CC2AE3A5
                                                                                                                                                                                        Function 00007FF7CDAEBF30 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 33333333$UUUUUUUU
                                                                                                                                                                                        • API String ID: 0-3483174168
                                                                                                                                                                                        • Opcode ID: 14b31b35ad291ddad897dd1f2a0e82a6c76d055b51b98b879fc08f69398a6c0a
                                                                                                                                                                                        • Instruction ID: 0f8bec32a5713e29220c994287e2471ec9503f957c585ffdc4d845ef937708d5
                                                                                                                                                                                        • Opcode Fuzzy Hash: 14b31b35ad291ddad897dd1f2a0e82a6c76d055b51b98b879fc08f69398a6c0a
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6691DA4375A3D48FAB52CB7E194498A6E90E12AFC835CF069CE8D27322D436D557C392
                                                                                                                                                                                        Function 00007FF7CDB02940 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FF7CDB02943
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
                                                                                                                                                                                        • API String ID: 0-1500368959
                                                                                                                                                                                        • Opcode ID: 1c1609a3c8bf1fc2ab983d6ae4da8e16bda7ac5e9f2c9e145e8892042673d043
                                                                                                                                                                                        • Instruction ID: d31a088d1f222b2c98c1105c198d733e9678df590788a7db6156c51350a6bf20
                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c1609a3c8bf1fc2ab983d6ae4da8e16bda7ac5e9f2c9e145e8892042673d043
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6DE177D6F2DF9601F7234A3954026B996006FA37F4A40D337FDB971BE1EB24B2829214
                                                                                                                                                                                        Function 00007FF7CDAFFDD0 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memmove
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2162964266-0
                                                                                                                                                                                        • Opcode ID: 04a17547c9b9e25e400b008239c47ebe3889bdec0e8611b90964479f23d7f7cf
                                                                                                                                                                                        • Instruction ID: 809eb8b19fc7fc325659b6a223f495b221551ff3b7cf449a5ca4fb4e618bc4a5
                                                                                                                                                                                        • Opcode Fuzzy Hash: 04a17547c9b9e25e400b008239c47ebe3889bdec0e8611b90964479f23d7f7cf
                                                                                                                                                                                        • Instruction Fuzzy Hash: F2713962B0A60659FB10AE65D8007FDA7A0B7097A8FC48936DE6D137C5FE3CD645D320
                                                                                                                                                                                        Function 00007FF7CDAE34C0 Relevance: 1.4, APIs: 1, Instructions: 194COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: memmove
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2162964266-0
                                                                                                                                                                                        • Opcode ID: ef5af2eae13f8ffc891ba40eff7f06aa173bb108709cda17797c4f7226220b8f
                                                                                                                                                                                        • Instruction ID: 2ed276eadd0d899e6d44301eb6aa8867433db5fdf1384d1314448ee240cc38bb
                                                                                                                                                                                        • Opcode Fuzzy Hash: ef5af2eae13f8ffc891ba40eff7f06aa173bb108709cda17797c4f7226220b8f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 33615993B1D21246FB649E5AE40177EB691EB447E5F805036E9AE07BC5FE3CE851C320
                                                                                                                                                                                        Function 00007FF7CDB00360 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 0123456789abcdefBorrowMutErroralready borrowed:
                                                                                                                                                                                        • API String ID: 0-1320686809
                                                                                                                                                                                        • Opcode ID: 29791862845dde33f864ca78966bf8f62c537c201ecd29cfa044adc085bc7192
                                                                                                                                                                                        • Instruction ID: f32ce1fc4c95ebb13fe4d0e627002754a15fd089e18a6b498f61be854aa8465a
                                                                                                                                                                                        • Opcode Fuzzy Hash: 29791862845dde33f864ca78966bf8f62c537c201ecd29cfa044adc085bc7192
                                                                                                                                                                                        • Instruction Fuzzy Hash: 60510DA3F1D2E09EE3319F789400E6C7FA19B15B48F494094CFA81BF86D61AD129E761
                                                                                                                                                                                        Function 00007FF7CDAEABB0 Relevance: .4, Instructions: 391COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: e046ba00a8fbc300665c4b48ed220b7dba2daffb58d9855cb4ab09eeec4275e3
                                                                                                                                                                                        • Instruction ID: b26422f9ea4c9936b8a7a63fba697334d4f75e1f412081b64ca45078c032f97b
                                                                                                                                                                                        • Opcode Fuzzy Hash: e046ba00a8fbc300665c4b48ed220b7dba2daffb58d9855cb4ab09eeec4275e3
                                                                                                                                                                                        • Instruction Fuzzy Hash: F9F1D262718B8481E6128B6AB4556ABE760FFDD7E4F45A212FFCC63B18DF38D1818700
                                                                                                                                                                                        Function 00007FF7CDAF6B30 Relevance: .4, Instructions: 373COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 758c0d1daf25dca6d6c85b36c579eaa8174f79fa832be2463bea216eb3613016
                                                                                                                                                                                        • Instruction ID: 059cf97f4a75893219a42573e00c201e373fc0fcd3b9447506f01e1ba50f09b3
                                                                                                                                                                                        • Opcode Fuzzy Hash: 758c0d1daf25dca6d6c85b36c579eaa8174f79fa832be2463bea216eb3613016
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2FD12393F0C79245F625AE649400FFDEA91AB11774F9C42B2CA7D135F0EA69DD928320
                                                                                                                                                                                        Function 00007FF7CDAEA670 Relevance: .3, Instructions: 305COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: b67a418b2c820b193e66971eb1750707129ebf5109979fa31b089b85a66bef28
                                                                                                                                                                                        • Instruction ID: 47f5bdf32b00626697a7e770846e1f2f3050e1de85fbb3428f0306f7b4f3de54
                                                                                                                                                                                        • Opcode Fuzzy Hash: b67a418b2c820b193e66971eb1750707129ebf5109979fa31b089b85a66bef28
                                                                                                                                                                                        • Instruction Fuzzy Hash: 8DD1C612618AD482F6129B3DA4466ABE361FFD9394F54A311FFD826A54EF38E1C58700
                                                                                                                                                                                        Function 00007FF7CDAED170 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 88d53cf72315a2491a1acf38b3ec6271b89d3960f73a4c660d5a56a1408bf87c
                                                                                                                                                                                        • Instruction ID: 1578f658a9e0ab14f4a7c236c89092ffc09d05ec2039ec89d664f7916efb8cd9
                                                                                                                                                                                        • Opcode Fuzzy Hash: 88d53cf72315a2491a1acf38b3ec6271b89d3960f73a4c660d5a56a1408bf87c
                                                                                                                                                                                        • Instruction Fuzzy Hash: B1C14D62D19FC542E723AB3CA4032E6E310FFEA384F00D316FED47595AEB69E6459610
                                                                                                                                                                                        Function 00007FF7CDAEB250 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: b20f7bc080719c1c1f3ae5b196f2442c1df25a9a2f5e432d3dc0e4515f377300
                                                                                                                                                                                        • Instruction ID: 2542ae72c4ccfa20196c65beb1892f13c0bd88adc0b991ce806802190909264d
                                                                                                                                                                                        • Opcode Fuzzy Hash: b20f7bc080719c1c1f3ae5b196f2442c1df25a9a2f5e432d3dc0e4515f377300
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6971A3A3754B64867A04CFF2A830897E7A5F359FC4B19B425AF8D27F18CA3CC552D640
                                                                                                                                                                                        Function 00007FF7CDAEB820 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: a468d8317a8448694612e1593cf183880a8134b48c99839950a437511642b147
                                                                                                                                                                                        • Instruction ID: af18812d41c4f90770d11517c90606fe782748f4d1917eb669c2d870e906b1e6
                                                                                                                                                                                        • Opcode Fuzzy Hash: a468d8317a8448694612e1593cf183880a8134b48c99839950a437511642b147
                                                                                                                                                                                        • Instruction Fuzzy Hash: 8261E2A2F7547693BA429EB28513DF96E10B728BD2303D931DD2A23780E974ED4FC215
                                                                                                                                                                                        Function 00007FF7CDAECE20 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 516913f712a79e31602e76090d16c532121ebdbc7cbb616029c414f36c94abab
                                                                                                                                                                                        • Instruction ID: 457270f5b50bb61aa528683f3fab3dfe895481d90fd9d043ceb4ef80d636bc9e
                                                                                                                                                                                        • Opcode Fuzzy Hash: 516913f712a79e31602e76090d16c532121ebdbc7cbb616029c414f36c94abab
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C51EB63729B14456A40CFE2BD609AB6690B758BD4F49B436FE4DA7709CE3CCB829240
                                                                                                                                                                                        Function 00007FF7CDAEC680 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 63f73319fad2da576f3d5b9983d65f57c7789e905c01965cd88b4a1bca77e753
                                                                                                                                                                                        • Instruction ID: ac863f4bedc9bddaddae5922fc041a548a0128ccda551c0194af9db404a13d21
                                                                                                                                                                                        • Opcode Fuzzy Hash: 63f73319fad2da576f3d5b9983d65f57c7789e905c01965cd88b4a1bca77e753
                                                                                                                                                                                        • Instruction Fuzzy Hash: 35511963725B24456A40DFF2BD609AB6650B76CFD4F49B422FE8CA7705CE3CCB869240
                                                                                                                                                                                        Function 00007FF7CDAEB560 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: e49d64f606b30b5e613b7687bc14d59ee01eaa8d31e2a8703c4f9323d8549704
                                                                                                                                                                                        • Instruction ID: d416797be00467981505a8bf5a77a3e2a1a5905893b636c8e13afd6d057c9589
                                                                                                                                                                                        • Opcode Fuzzy Hash: e49d64f606b30b5e613b7687bc14d59ee01eaa8d31e2a8703c4f9323d8549704
                                                                                                                                                                                        • Instruction Fuzzy Hash: 176173A3315BA4427A04CFF2BD3199BABA5F649BD8B00F435EE8D57B1CDA3CC4518640
                                                                                                                                                                                        Function 00007FF7CDAEC3F0 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 4a5052886ae8791df3e3aade1c897a77a9afdf7e8fe609916b5f9302e4dbc497
                                                                                                                                                                                        • Instruction ID: c06ad373f088eac6773fd2505e3dcc1f82ea758196c565d403a05ddc2eec12b5
                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a5052886ae8791df3e3aade1c897a77a9afdf7e8fe609916b5f9302e4dbc497
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2951D6F3725A10526E45CFA3BC24AB69652BB1CFD4F40E421DE0D9BB1ACE3CCA569340
                                                                                                                                                                                        Function 00007FF7CDAECB90 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 7bcd44aacf1be6df8b683f518df340d7f83a1aa97022882a5af4655f99829e9a
                                                                                                                                                                                        • Instruction ID: 031cdd25f8197c5c57da5a8c2ab3e41862ac2129b1330e0fbd5ef58862bbe5cf
                                                                                                                                                                                        • Opcode Fuzzy Hash: 7bcd44aacf1be6df8b683f518df340d7f83a1aa97022882a5af4655f99829e9a
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6751DAF3726A10425E45CFA2BC249B69652FA1CBD4F40D431DF1D97B09CE3CCA529340
                                                                                                                                                                                        Function 00007FF7CDAEC950 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: dbee0296d68a45a4e5011e14e78ef7d3f61107bd3d503f6abe85d47c4473e09a
                                                                                                                                                                                        • Instruction ID: 483b6cafddcb58c2d63febc22e83b766fe4bb801c7eb542a8cf0cfa7ab332378
                                                                                                                                                                                        • Opcode Fuzzy Hash: dbee0296d68a45a4e5011e14e78ef7d3f61107bd3d503f6abe85d47c4473e09a
                                                                                                                                                                                        • Instruction Fuzzy Hash: FB41F163719A24827E58EFE2BE71877A651B75CBD0F48B436EE4E97704CE3CC5828240
                                                                                                                                                                                        Function 00007FF7CDAEFBF0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • internal error: entered unreachable code/rustc/6d9f6ae36ae1299d6126ba40c15191f7aa3b79d8\library\alloc\src\vec\mod.rs, xrefs: 00007FF7CDAEFFA0
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ErrorLast$EnvironmentVariable
                                                                                                                                                                                        • String ID: internal error: entered unreachable code/rustc/6d9f6ae36ae1299d6126ba40c15191f7aa3b79d8\library\alloc\src\vec\mod.rs
                                                                                                                                                                                        • API String ID: 2691138088-4211467735
                                                                                                                                                                                        • Opcode ID: 2f5bda11242709f7d3a9db386863ad846d2b631631a1dafbb5598fb8ddd67ac9
                                                                                                                                                                                        • Instruction ID: 78b384df848a42da502fed656bb765966d5497e7b30d33c0070c4ec3615c360a
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f5bda11242709f7d3a9db386863ad846d2b631631a1dafbb5598fb8ddd67ac9
                                                                                                                                                                                        • Instruction Fuzzy Hash: 81A1A462B08AC585EB709F21D8447ECA395FB4CBA8F844135DE2C4BB95EF38D691C360
                                                                                                                                                                                        Function 00007FF7CDADBE90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • Failed to resolve NtAllocateVirtualMemoryFailed to resolve NtProtectVirtualMemory for section , xrefs: 00007FF7CDADBFE4
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset
                                                                                                                                                                                        • String ID: Failed to resolve NtAllocateVirtualMemoryFailed to resolve NtProtectVirtualMemory for section
                                                                                                                                                                                        • API String ID: 1084755268-291501945
                                                                                                                                                                                        • Opcode ID: a9c91917afe164fbc750d45334f42a06d0874de28584444aaa69bd1306d95ef0
                                                                                                                                                                                        • Instruction ID: f045d83e7050e906cfbc83e460482f25a89f84aae9b0cec5e8e410d17cafd30c
                                                                                                                                                                                        • Opcode Fuzzy Hash: a9c91917afe164fbc750d45334f42a06d0874de28584444aaa69bd1306d95ef0
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0531E362B2CB8641EA109F14F054BBDE361EB85794F904235EA9D07B9AEF2DD640CB10
                                                                                                                                                                                        Function 00007FF7CDADC010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • Failed to resolve NtProtectVirtualMemorySuccessfully updated protection for mapped image to PAGE_EXECUTE_READ.Number of sections: , xrefs: 00007FF7CDADC164
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000000.00000002.3103272049.00007FF7CDAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7CDAD0000, based on PE: true
                                                                                                                                                                                        • Associated: 00000000.00000002.3103128779.00007FF7CDAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103487047.00007FF7CDB09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103635504.00007FF7CDB1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        • Associated: 00000000.00000002.3103753473.00007FF7CDB1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7cdad0000_hades.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DebugOutputStringmemset
                                                                                                                                                                                        • String ID: Failed to resolve NtProtectVirtualMemorySuccessfully updated protection for mapped image to PAGE_EXECUTE_READ.Number of sections:
                                                                                                                                                                                        • API String ID: 1084755268-1319887091
                                                                                                                                                                                        • Opcode ID: 98470e2d6b0fa72a61f81d609076a41170e28f0cdfd137ec68f837034699ae87
                                                                                                                                                                                        • Instruction ID: 9d3645bf1f3a14bd47c6dc523807f7363b6efce4d16a337d1bf131df59b9c5fd
                                                                                                                                                                                        • Opcode Fuzzy Hash: 98470e2d6b0fa72a61f81d609076a41170e28f0cdfd137ec68f837034699ae87
                                                                                                                                                                                        • Instruction Fuzzy Hash: 62310372B2CB9251EA10AF14F450BAEE361EB85794FD04235E69D03B9AEF2DD640C710